Possibility to set SSLCARevocationPath for keystone as chef default attribute "ca_revocation_path"
Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one gets by setting only the latter is warnings in Apache logs. Note: with Apache 2.3.15 or newer enabling revocation checks causes certificate validation to fail also when no CRLs for the given certificate could be found. For details see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck Co-authored-by: Marek Szuba <m.szuba@gsi.de> Signed-off-by: Marek Szuba <m.szuba@gsi.de> Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
This commit is contained in:
parent
114b459cad
commit
c5211ab38f
|
@ -106,6 +106,8 @@ default['openstack']['identity']['ssl']['chainfile'] = nil
|
|||
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
|
||||
# path of the CA cert files for SSL (Apache)
|
||||
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
|
||||
# (optional) path to certificate-revocation lists (Apache)
|
||||
default['openstack']['identity']['ssl']['ca_revocation_path'] = nil
|
||||
|
||||
# Fernet keys to read from databags/vaults. This should be changed in the
|
||||
# environment when rotating keys (with the defaults below, the items
|
||||
|
|
|
@ -396,6 +396,8 @@ describe 'openstack-identity::server-apache' do
|
|||
/SSLCertificateFile/,
|
||||
/SSLCertificateKeyFile/,
|
||||
/SSLCACertificatePath/,
|
||||
/SSLCARevocationPath/,
|
||||
/SSLCARevocationCheck/,
|
||||
/SSLCertificateChainFile/,
|
||||
/SSLProtocol/,
|
||||
/SSLCipherSuite/,
|
||||
|
@ -424,6 +426,8 @@ describe 'openstack-identity::server-apache' do
|
|||
end
|
||||
end
|
||||
[
|
||||
/SSLCARevocationPath/,
|
||||
/SSLCARevocationCheck/,
|
||||
/SSLCertificateChainFile/,
|
||||
/SSLCipherSuite/,
|
||||
/SSLVerifyClient require/,
|
||||
|
@ -432,15 +436,18 @@ describe 'openstack-identity::server-apache' do
|
|||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
context 'Enable chainfile, ciphers & cert_required' do
|
||||
context 'Enable ca_revocation_path, chainfile, ciphers & cert_required' do
|
||||
cached(:chef_run) do
|
||||
node.override['openstack']['identity']['ssl']['enabled'] = true
|
||||
node.override['openstack']['identity']['ssl']['ca_revocation_path'] = '/etc/keystone/ssl/crl.d'
|
||||
node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
|
||||
node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
|
||||
node.override['openstack']['identity']['ssl']['cert_required'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
[
|
||||
%r{SSLCARevocationPath /etc/keystone/ssl/crl.d$},
|
||||
/SSLCARevocationCheck chain$/,
|
||||
%r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
|
||||
/SSLCipherSuite ciphers_value$/,
|
||||
/SSLVerifyClient require$/,
|
||||
|
|
|
@ -20,6 +20,10 @@
|
|||
SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
|
||||
SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
|
||||
SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
|
||||
<% if node['openstack']['identity']['ssl']['ca_revocation_path'] %>
|
||||
SSLCARevocationPath <%= node['openstack']['identity']['ssl']['ca_revocation_path'] %>
|
||||
SSLCARevocationCheck chain
|
||||
<% end -%>
|
||||
<% if node['openstack']['identity']['ssl']['chainfile'] %>
|
||||
SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue