kolla-ansible

openstack/kolla-ansible

Commit Graph

Author	SHA1	Message	Date
Maksim Malchuk	6409d62650	Fix usage of Subject Alternative Name for TLS All TLS certificates are incorrectly generated in the 'certificates' role. The generated certificates don't contain both the 'X509v3 extensions' and 'X509v3 Subject Alternative Name' blocks at all. This change fixes the 'openssl x509' commands used to generate all the certificates to include the 'Subject Alternative Name'. Also, this change fixes both internal and external templates to constantly use alternative names as described in the RFCs [1] [2]. We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or 'kolla_external_fqdn' is set. 1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2 Closes-Bug: #1935978 Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9 Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>	2021-08-24 15:33:22 +03:00
James Kirsch	d100904f2c	Generate self signed TLS certificates Generate both internal and external self signed TLS certificates. Duplicate the certificate if internal and external VIPs are the same. Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74 Partially-Implements: blueprint custom-cacerts	2020-01-28 14:03:33 -08:00

Author

SHA1

Message

Date

Maksim Malchuk

6409d62650

Fix usage of Subject Alternative Name for TLS

All TLS certificates are incorrectly generated in the 'certificates'
role. The generated certificates don't contain both the 'X509v3
extensions' and 'X509v3 Subject Alternative Name' blocks at all.

This change fixes the 'openssl x509' commands used to generate all the
certificates to include the 'Subject Alternative Name'.

Also, this change fixes both internal and external templates to
constantly use alternative names as described in the RFCs [1] [2].
We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or
'kolla_external_fqdn' is set.

1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2

Closes-Bug: #1935978
Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

2021-08-24 15:33:22 +03:00

James Kirsch

d100904f2c

Generate self signed TLS certificates

Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts

2020-01-28 14:03:33 -08:00

2 Commits