From 48b293dde6b37f944d00595126e1f5bb0a1c5358 Mon Sep 17 00:00:00 2001
From: Dan Trainor <dan.trainor@gmail.com>
Date: Wed, 1 Mar 2017 11:02:32 -0500
Subject: [PATCH] Add certificate EKUs to public endpoint cert

Add EKUS, or Extended Key Usage parameters, of id-kp-clientAuth and
id-kp-serverAuth to the certificate that certmonge generates, which is
used by haproxy to proxy public-facing hosts.  This is necessary due to
the criteria by which Firefox and related browsers validate which
required extensions are acceptable when interpreting a certificate.

Change-Id: Ideec7d23769e68ae1b738c0118ec061b195e3bd7
Closes-Bug: 1668775
---
 .../puppet-stack-config.yaml.template                 |  2 +-
 .../notes/add-certificate-ekus-13e92513c562f0dc.yaml  |  5 +++++
 scripts/instack-haproxy-cert-update                   | 11 +++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml

diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template
index d7b77f33c..e0bba971a 100644
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@@ -24,7 +24,7 @@ tripleo::profile::base::haproxy::certificates_specs:
     service_certificate: '/etc/pki/tls/certs/undercloud-front.crt'
     service_key: '/etc/pki/tls/private/undercloud-front.key'
     hostname: "%{hiera('controller_public_host')}"
-    postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}}"
+    postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}} undercloud-haproxy-public-cert"
     principal: {{SERVICE_PRINCIPAL}}
 
 # CA defaults
diff --git a/releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml b/releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml
new file mode 100644
index 000000000..d9c77242c
--- /dev/null
+++ b/releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes `bug 1668775 <https://bugs.launchpad.net/tripleo/+bug/1668775>`__ Certmonger certificate does not include EKUs
+    
diff --git a/scripts/instack-haproxy-cert-update b/scripts/instack-haproxy-cert-update
index 705558a49..77867ce78 100644
--- a/scripts/instack-haproxy-cert-update
+++ b/scripts/instack-haproxy-cert-update
@@ -2,6 +2,7 @@
 CERT_FILE="$1"
 KEY_FILE="$2"
 OUTPUT_FILE="$3"
+REQUEST_NICKNAME="$4"
 
 if [[ -z "$CERT_FILE" || -z "$KEY_FILE" || -z "$OUTPUT_FILE" ]]; then
     echo "You need to provide CERT_FILE KEY_FILE and finally OUTPUT_FILE" \
@@ -12,5 +13,15 @@ if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then
     echo "Certificate and key files must exist!"
     exit 1
 fi
+if [ -z "$REQUEST_NICKNAME" ]; then
+    echo "Request nickname must be specified in arguments."
+    exit 1
+fi
+
+# add additional EKUs so clients that rely strictly on RFC5280 understand that
+# they are allowed to accept the certificate as having valid extensions
+getcert resubmit -i "$REQUEST_NICKNAME" -w -v -U id-kp-clientAuth \
+    -U id-kp-serverAuth
+
 cat $CERT_FILE $KEY_FILE > $OUTPUT_FILE
 systemctl reload haproxy