From aa45d379a05f18bdf5c8f13abcf3d040d5ce82a2 Mon Sep 17 00:00:00 2001 From: Xing Zhang Date: Wed, 4 Sep 2019 14:20:33 +0800 Subject: [PATCH] Add DNS to subjectAltName in Self-Signed Certificate According to [1]: IP address used in the IP options can be in either IPv4 or IPv6 format. DNS can be used for IPv4 only, IPv6 only and dual stack. Also should have FQDNs in subjectAltName per current[2]. [1] https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html [2] https://support.google.com/chrome/a/answer/7391219 Partially-Implements: blueprint ipv6-control-plane Change-Id: Ibad8f8c734984aeda8ddac1a5db39875bc242bbf --- ansible/roles/certificates/templates/openssl-kolla.cnf.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 index c9bbce5321..e580fa613a 100644 --- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 +++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 @@ -14,3 +14,9 @@ subjectAltName = @alt_names [alt_names] IP.1 = {{ kolla_external_vip_address }} +# NOTE(Xing Zhang): Add IPv6 external VIP address to IP.2 when +# ipv6-control-plane is implemented. +#IP.2 = +{% if kolla_external_fqdn != kolla_external_vip_address %} +DNS.1 = {{ kolla_external_fqdn }} +{% endif %}