Add certificate EKUs to public endpoint cert

Add EKUS, or Extended Key Usage parameters, of id-kp-clientAuth and id-kp-serverAuth to the certificate that certmonge generates, which is used by haproxy to proxy public-facing hosts. This is necessary due to the criteria by which Firefox and related browsers validate which required extensions are acceptable when interpreting a certificate. Change-Id: Ideec7d23769e68ae1b738c0118ec061b195e3bd7 Closes-Bug: 1668775
2017-03-01 11:02:32 -05:00 · 2017-03-01 11:02:32 -05:00 · 48b293dde6
parent 6ba1176859
commit 48b293dde6
3 changed files with 17 additions and 1 deletions
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -24,7 +24,7 @@ tripleo::profile::base::haproxy::certificates_specs:
    service_certificate: '/etc/pki/tls/certs/undercloud-front.crt'
    service_key: '/etc/pki/tls/private/undercloud-front.key'
    hostname: "%{hiera('controller_public_host')}"
-    postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}}"
+    postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}} undercloud-haproxy-public-cert"
    principal: {{SERVICE_PRINCIPAL}}

 # CA defaults
--- a/releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml
+++ b/releasenotes/notes/add-certificate-ekus-13e92513c562f0dc.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes `bug 1668775 <https://bugs.launchpad.net/tripleo/+bug/1668775>`__ Certmonger certificate does not include EKUs
+    
--- a/scripts/instack-haproxy-cert-update
+++ b/scripts/instack-haproxy-cert-update
@ -2,6 +2,7 @@
 CERT_FILE="$1"
 KEY_FILE="$2"
 OUTPUT_FILE="$3"
+REQUEST_NICKNAME="$4"

 if [[ -z "$CERT_FILE" || -z "$KEY_FILE" || -z "$OUTPUT_FILE" ]]; then
    echo "You need to provide CERT_FILE KEY_FILE and finally OUTPUT_FILE" \
@ -12,5 +13,15 @@ if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then
    echo "Certificate and key files must exist!"
    exit 1
 fi
+if [ -z "$REQUEST_NICKNAME" ]; then
+    echo "Request nickname must be specified in arguments."
+    exit 1
+fi
+
+# add additional EKUs so clients that rely strictly on RFC5280 understand that
+# they are allowed to accept the certificate as having valid extensions
+getcert resubmit -i "$REQUEST_NICKNAME" -w -v -U id-kp-clientAuth \
+    -U id-kp-serverAuth
+
 cat $CERT_FILE $KEY_FILE > $OUTPUT_FILE
 systemctl reload haproxy