Do not set OS_CACERT if there is no CA cert
In openrc, if we set OS_CACERT, some things will expect it to be there in pre-flight checks. But it may very well be missing. This "fails closed" because if we find the file, we try to use it, but if we don't find the file, and the user thought we should be using it, we'll just not be able to verify the server's name, and the libs will fail on that. Change-Id: Ia5d06afa74bc645c2f19711cfa37e57a377c329b Closes-Bug: #1452036
This commit is contained in:
Clint Byrum
parent
e210d26a19
commit
52a3bebcfc
10
openrc
10
openrc
|
|
@ -78,8 +78,14 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
|
|||
#
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
|
||||
|
||||
# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
|
||||
export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem}
|
||||
# Set OS_CACERT to a default CA certificate chain if it exists.
|
||||
if [[ ! -v OS_CACERT ]] ; then
|
||||
DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||
# If the file does not exist, this may confuse preflight sanity checks
|
||||
if [ -e $DEFAULT_OS_CACERT ] ; then
|
||||
export OS_CACERT=$DEFAULT_OS_CACERT
|
||||
fi
|
||||
fi
|
||||
|
||||
# Currently novaclient needs you to specify the *compute api* version. This
|
||||
# needs to match the config of your catalog returned by Keystone.
|
||||
|
|
|
|||
Loading…
Reference in New Issue