Do not set OS_CACERT if there is no CA cert

In openrc, if we set OS_CACERT, some things will expect it to be there
in pre-flight checks. But it may very well be missing. This "fails
closed" because if we find the file, we try to use it, but if we don't
find the file, and the user thought we should be using it, we'll just
not be able to verify the server's name, and the libs will fail on that.

Change-Id: Ia5d06afa74bc645c2f19711cfa37e57a377c329b
Closes-Bug: #1452036
This commit is contained in:
Clint Byrum 2015-05-05 15:00:03 -07:00
parent e210d26a19
commit 52a3bebcfc

10
openrc
View File

@ -78,8 +78,14 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
# #
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION} export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
# Set the pointer to our CA certificate chain. Harmless if TLS is not used. # Set OS_CACERT to a default CA certificate chain if it exists.
export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem} if [[ ! -v OS_CACERT ]] ; then
DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem
# If the file does not exist, this may confuse preflight sanity checks
if [ -e $DEFAULT_OS_CACERT ] ; then
export OS_CACERT=$DEFAULT_OS_CACERT
fi
fi
# Currently novaclient needs you to specify the *compute api* version. This # Currently novaclient needs you to specify the *compute api* version. This
# needs to match the config of your catalog returned by Keystone. # needs to match the config of your catalog returned by Keystone.