Revert changes for SAN certs

hooks/keystone_ssl.py

@@ -5,7 +5,6 @@ import shutil
 import subprocess
 import tarfile
 import tempfile
-from charmhelpers.contrib.openstack.utils import is_ip
 
 CA_EXPIRY = '365'
 ORG_NAME = 'Ubuntu'
@@ -100,7 +99,6 @@ subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer
 keyUsage                = digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = serverAuth, clientAuth
-subjectAltName          = $ENV::ALTNAME
 """
 
 
@@ -267,29 +265,20 @@ class JujuCA(object):
         subprocess.check_call(cmd)
         return crt
 
-    def _create_certificate(self, service, common_name, alt_names=None):
+    def _create_certificate(self, service, common_name):
         subj = '/O=%s/OU=%s/CN=%s' % (ORG_NAME, ORG_UNIT, common_name)
         csr = os.path.join(self.ca_dir, 'certs', '%s.csr' % service)
         key = os.path.join(self.ca_dir, 'certs', '%s.key' % service)
         cmd = ['openssl', 'req', '-sha1', '-newkey', 'rsa', '-nodes',
                '-keyout', key, '-out', csr, '-subj', subj]
-        alt_env = os.environ.copy()
-        if alt_names is not None:
-            processed_names = []
-            for name in alt_names:
-                if is_ip(name):
-                    processed_names.append("IP:{}".format(name))
-                else:
-                    processed_names.append("DNS:{}".format(name))
-            alt_env['ALTNAME'] = ", ".join(processed_names)
-        subprocess.check_call(cmd, env=alt_env)
+        subprocess.check_call(cmd)
         crt = self._sign_csr(csr, service, common_name)
         cmd = ['chown', '-R', '%s.%s' % (self.user, self.group), self.ca_dir]
         subprocess.check_call(cmd)
         print 'Signed new CSR, crt @ %s' % crt
         return crt, key
 
-    def get_cert_and_key(self, common_name, alt_names):
+    def get_cert_and_key(self, common_name):
         print 'Getting certificate and key for %s.' % common_name
         key = os.path.join(self.ca_dir, 'certs', '%s.key' % common_name)
         crt = os.path.join(self.ca_dir, 'certs', '%s.crt' % common_name)
@@ -303,8 +292,7 @@ class JujuCA(object):
                     (common_name, key)
                 exit(1)
             return crt, key
-        crt, key = self._create_certificate(common_name, common_name,
-                                            alt_names)
+        crt, key = self._create_certificate(common_name, common_name)
         return open(crt, 'r').read(), open(key, 'r').read()
 
     def get_ca_bundle(self):

hooks/keystone_utils.py

@@ -668,12 +668,8 @@ def add_service_to_keystone(relation_id=None, remote_unit=None):
                          adminurl=settings['admin_url'],
                          internalurl=settings['internal_url'])
             service_username = settings['service']
-            https_cn = {
-                'primary': urlparse.urlparse(settings['public_url']).hostname,
-                'alt': [
-                    urlparse.urlparse(settings['admin_url']).hostname,
-                    urlparse.urlparse(settings['internal_url']).hostname,
-                ]}
+            https_cn = urlparse.urlparse(settings['internal_url'])
+            https_cn = https_cn.hostname
     else:
         # assemble multiple endpoints from relation data. service name
         # should be prepended to setting name, ie:
@@ -713,12 +709,8 @@ def add_service_to_keystone(relation_id=None, remote_unit=None):
                              internalurl=ep['internal_url'])
                 services.append(ep['service'])
                 if not https_cn:
-                    https_cn = {
-                        'primary': urlparse.urlparse(ep['public_url']).hostname,
-                        'alt': [
-                            urlparse.urlparse(ep['admin_url']).hostname,
-                            urlparse.urlparse(ep['internal_url']).hostname,
-                        ]}
+                    https_cn = urlparse.urlparse(ep['internal_url'])
+                    https_cn = https_cn.hostname
         service_username = '_'.join(services)
 
     if 'None' in [v for k, v in settings.iteritems()]:
@@ -780,8 +772,7 @@ def add_service_to_keystone(relation_id=None, remote_unit=None):
     # generate or get a new cert/key for service if set to manage certs.
     if config('https-service-endpoints') in ['True', 'true']:
         ca = get_ca(user=SSH_USER)
-        cert, key = ca.get_cert_and_key(common_name=https_cn['primary'],
-                                        alt_names=https_cn['alt'])
+        cert, key = ca.get_cert_and_key(common_name=https_cn)
         ca_bundle = ca.get_ca_bundle()
         relation_data['ssl_cert'] = b64encode(cert)
         relation_data['ssl_key'] = b64encode(key)