From be00e95da5ae57c6aaa547ee01a5cab9a13862ca Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 24 Mar 2016 18:09:22 -0400 Subject: [PATCH] Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN OS_CACERT was being added directly to the environment rather than usercc_early. This caused an untrusted CA error to be thrown. Ensure that SERVICE_HOST is in the Subject Alt. Names of the issued TLS server cert. The gate sets it to 127.0.0.1 which wasn't being handled. Only the FQDN of the host and actual IP address of the machine were being added. Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2 --- lib/tls | 8 ++++++++ stack.sh | 8 ++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/tls b/lib/tls index f4740b88be..ca57ed44e0 100644 --- a/lib/tls +++ b/lib/tls @@ -257,6 +257,14 @@ function make_cert { local common_name=$3 local alt_names=$4 + if [ "$common_name" != "$SERVICE_HOST" ]; then + if [[ -z "$alt_names" ]]; then + alt_names="DNS:$SERVICE_HOST" + else + alt_names="$alt_names,DNS:$SERVICE_HOST" + fi + fi + # Only generate the certificate if it doesn't exist yet on the disk if [ ! -r "$ca_dir/$cert_name.crt" ]; then # Generate a signing request diff --git a/stack.sh b/stack.sh index 5c16f042d8..b91c106ed8 100755 --- a/stack.sh +++ b/stack.sh @@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then bootstrap_keystone fi - if is_service_enabled tls-proxy; then - export OS_CACERT=$INT_CA_DIR/ca-chain.pem - fi - # Rather than just export these, we write them out to a # intermediate userrc file that can also be used to debug if # something goes wrong between here and running @@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME EOF + if is_service_enabled tls-proxy; then + echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early + fi + source $TOP_DIR/userrc_early create_keystone_accounts