Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN

OS_CACERT was being added directly to the environment rather
than usercc_early. This caused an untrusted CA error to be
thrown.

Ensure that SERVICE_HOST is in the Subject Alt. Names of the
issued TLS server cert. The gate sets it to 127.0.0.1 which
wasn't being handled. Only the FQDN of the host and actual
IP address of the machine were being added.

Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2
This commit is contained in:
Rob Crittenden 2016-03-24 18:09:22 -04:00
parent 11b111fd7a
commit be00e95da5
2 changed files with 12 additions and 4 deletions

View File

@ -257,6 +257,14 @@ function make_cert {
local common_name=$3 local common_name=$3
local alt_names=$4 local alt_names=$4
if [ "$common_name" != "$SERVICE_HOST" ]; then
if [[ -z "$alt_names" ]]; then
alt_names="DNS:$SERVICE_HOST"
else
alt_names="$alt_names,DNS:$SERVICE_HOST"
fi
fi
# Only generate the certificate if it doesn't exist yet on the disk # Only generate the certificate if it doesn't exist yet on the disk
if [ ! -r "$ca_dir/$cert_name.crt" ]; then if [ ! -r "$ca_dir/$cert_name.crt" ]; then
# Generate a signing request # Generate a signing request

View File

@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then
bootstrap_keystone bootstrap_keystone
fi fi
if is_service_enabled tls-proxy; then
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
fi
# Rather than just export these, we write them out to a # Rather than just export these, we write them out to a
# intermediate userrc file that can also be used to debug if # intermediate userrc file that can also be used to debug if
# something goes wrong between here and running # something goes wrong between here and running
@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME
EOF EOF
if is_service_enabled tls-proxy; then
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
fi
source $TOP_DIR/userrc_early source $TOP_DIR/userrc_early
create_keystone_accounts create_keystone_accounts