Possibility to set SSLCARevocationPath for keystone as chef default attribute "ca_revocation_path"

Also set SSLCARevocationCheck alongside SSLCARevocationPath, all one
gets by setting only the latter is warnings in Apache logs.

Note: with Apache 2.3.15 or newer enabling revocation checks causes
certificate validation to fail also when no CRLs for the given certificate
could be found. For details see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationcheck

Co-authored-by: Marek Szuba <m.szuba@gsi.de>
Signed-off-by: Marek Szuba <m.szuba@gsi.de>
Change-Id: Ic64249ba32d43877f9ef0325e7156e0d15622a69
This commit is contained in:
Karim El Aammari 2021-07-07 17:46:21 +01:00 committed by Marek Szuba
parent 114b459cad
commit c5211ab38f
3 changed files with 14 additions and 1 deletions

View File

@ -106,6 +106,8 @@ default['openstack']['identity']['ssl']['chainfile'] = nil
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
# path of the CA cert files for SSL (Apache)
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
# (optional) path to certificate-revocation lists (Apache)
default['openstack']['identity']['ssl']['ca_revocation_path'] = nil
# Fernet keys to read from databags/vaults. This should be changed in the
# environment when rotating keys (with the defaults below, the items

View File

@ -396,6 +396,8 @@ describe 'openstack-identity::server-apache' do
/SSLCertificateFile/,
/SSLCertificateKeyFile/,
/SSLCACertificatePath/,
/SSLCARevocationPath/,
/SSLCARevocationCheck/,
/SSLCertificateChainFile/,
/SSLProtocol/,
/SSLCipherSuite/,
@ -424,6 +426,8 @@ describe 'openstack-identity::server-apache' do
end
end
[
/SSLCARevocationPath/,
/SSLCARevocationCheck/,
/SSLCertificateChainFile/,
/SSLCipherSuite/,
/SSLVerifyClient require/,
@ -432,15 +436,18 @@ describe 'openstack-identity::server-apache' do
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable chainfile, ciphers & cert_required' do
context 'Enable ca_revocation_path, chainfile, ciphers & cert_required' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
node.override['openstack']['identity']['ssl']['ca_revocation_path'] = '/etc/keystone/ssl/crl.d'
node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
node.override['openstack']['identity']['ssl']['cert_required'] = true
runner.converge(described_recipe)
end
[
%r{SSLCARevocationPath /etc/keystone/ssl/crl.d$},
/SSLCARevocationCheck chain$/,
%r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
/SSLCipherSuite ciphers_value$/,
/SSLVerifyClient require$/,

View File

@ -20,6 +20,10 @@
SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
<% if node['openstack']['identity']['ssl']['ca_revocation_path'] %>
SSLCARevocationPath <%= node['openstack']['identity']['ssl']['ca_revocation_path'] %>
SSLCARevocationCheck chain
<% end -%>
<% if node['openstack']['identity']['ssl']['chainfile'] %>
SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
<% end -%>