diff --git a/defaults/main.yml b/defaults/main.yml index d0b28ed6..9a763199 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -430,40 +430,116 @@ octavia_network_driver: allowed_address_pairs_driver # Set the host which will execute the openssl_* modules # for the certificate generation. The host must already # have access to pyOpenSSL. -octavia_cert_setup_host: "{{ openstack_cert_setup_host | default('localhost') }}" +octavia_cert_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" # Set the directory where the certificates will be stored # on the above host. If the host is localhost, then the user # running the playbook must have access to it. -octavia_cert_dir: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia" +octavia_cert_dir: "{{ openstack_pki_dir | default(lookup('env', 'HOME') ~ '/openstack-ansible') }}" +octavia_cert_keys_dir: "{{ octavia_cert_dir }}/certs/private/" +octavia_cert_certs_dir: "{{ octavia_cert_dir }}/certs/certs/" octavia_cert_dir_owner: "{{ lookup('env', 'USER') }}" -octavia_cert_key_length_server: '4096' # key length -octavia_cert_cipher_server: 'auto' -octavia_cert_cipher_client: 'auto' -octavia_cert_key_length_client: '4096' # key length -octavia_cert_server_ca_subject: '/C=US/ST=Denial/L=Nowhere/O=Dis/CN=www.example.com' # change this to something more real -octavia_cert_client_ca_subject: '/C=US/ST=Denial/L=Nowhere/O=Dis/CN=www.example.com' # change this to something more real octavia_cert_client_req_common_name: 'www.example.com' # change this to something more real octavia_cert_client_req_country_name: 'US' octavia_cert_client_req_state_or_province_name: 'Denial' octavia_cert_client_req_locality_name: 'Nowhere' octavia_cert_client_req_organization_name: 'Dis' octavia_cert_validity_days: 1825 # 5 years -octavia_generate_client_cert: True # generate self signed client certs -octavia_generate_certs: True +octavia_generate_certs: True # generate self signed client certs +octavia_generate_client_cert: True +octavia_generate_ca: True +octavia_regenerate_client_cert: '' +octavia_regenerate_ca: '' -# client certs -octavia_client_ca_key: "{{ octavia_cert_dir }}/ca_01.key" -octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" -octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" -# server -octavia_server_ca: "{{ octavia_ca_certificate }}" -# ca certs -octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" +octavia_cert_authorities: + - name: "OctaviaServerRoot" + country: "{{ octavia_cert_client_req_country_name }}" + state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}" + organization_name: "{{ octavia_cert_client_req_organization_name }}" + locality_name: "{{ octavia_cert_client_req_locality_name }}" + cn: "Octavia Server CA" + provider: selfsigned + basic_constraints: "CA:TRUE" + key_passphrase: "{{ octavia_ca_private_key_passphrase }}" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+{{ octavia_cert_validity_days }}d" + - name: "OctaviaClientRoot" + country: "{{ octavia_cert_client_req_country_name }}" + state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}" + organization_name: "{{ octavia_cert_client_req_organization_name }}" + locality_name: "{{ octavia_cert_client_req_locality_name }}" + cn: "Octavia Client CA" + provider: selfsigned + basic_constraints: "CA:TRUE" + key_passphrase: "{{ octavia_cert_client_password }}" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+{{ octavia_cert_validity_days }}d" + +octavia_cert_certificates: + - name: "octavia_client" + provider: ownca + cn: "{{ octavia_cert_client_req_common_name }}" + signed_by: "OctaviaClientRoot" + ownca_key_passphrase: "{{ octavia_cert_client_password }}" + key_usage: + - nonRepudiation + - digitalSignature + - keyEncipherment + extended_key_usage: + - clientAuth + - emailProtection + +# Installation details for SSL certificates +octavia_cert_install_certificates: + # Server CA + - src: "{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}" + dest: "/etc/octavia/certs/server_ca.pem" + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + - src: "{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}" + dest: "/etc/octavia/certs/ca_key.pem" + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + # Client CA + - src: "{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}" + dest: "/etc/octavia/certs/client_ca.pem" + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + # Client certificate + - src: "{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}" + dest: "/etc/octavia/certs/client.pem.crt" + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + - src: "{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}" + dest: "/etc/octavia/certs/client.pem.key" + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" + + +# Custom client CA +#octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" +## Custom client certs +#octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" +#octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem" +## server +#octavia_server_ca: "{{ octavia_ca_certificate }}" +## ca certs +#octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}" -octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" -octavia_signing_digest: sha256 +#octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" + # Quotas for the Octavia user - assuming active/passive topology octavia_num_instances: 10000 # 5000 LB in active/passive diff --git a/tasks/main.yml b/tasks/main.yml index 170f830e..dd4f2c45 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,17 +95,6 @@ tags: - always -- include_tasks: octavia_certs.yml - args: - apply: - tags: - - octavia-config - when: - - octavia_generate_certs | bool - - _octavia_is_first_play_host - tags: - - always - - name: Gather variables for installation method include_vars: "{{ octavia_install_method }}_install.yml" tags: @@ -115,19 +104,43 @@ tags: - octavia-install +- name: Create and install SSL certificates + include_role: + name: pki + vars: + pki_setup_host: "{{ octavia_cert_setup_host }}" + pki_dir: "{{ octavia_cert_dir }}" + pki_create_ca: "{{ octavia_generate_ca }}" + pki_regen_ca: "{{ octavia_regenerate_ca }}" + pki_authorities: "{{ octavia_cert_authorities }}" + pki_create_certificates: "{{ octavia_generate_client_cert }}" + pki_regen_cert: "{{ octavia_regenerate_client_cert }}" + pki_certificates: "{{ octavia_cert_certificates }}" + pki_install_certificates: "{{ octavia_cert_install_certificates }}" + when: + - octavia_generate_certs | bool + tags: + - always + +- name: Assemble SSL certificates + assemble: + src: /etc/octavia/certs/ + dest: /etc/octavia/certs/client.pem + regexp: '(client\.pem\.crt|client\.pem\.key)$' + notify: + - Restart octavia services + - Restart uwsgi services + when: + - octavia_generate_certs | bool + tags: + - octavia-config + - octavia-install + + - import_tasks: octavia_install.yml tags: - octavia-install -- include_tasks: octavia_certs_distribute.yml - args: - apply: - tags: - - octavia-config - when: octavia_generate_certs | bool - tags: - - always - - name: Import uwsgi role import_role: name: uwsgi diff --git a/tasks/octavia_certs.yml b/tasks/octavia_certs.yml deleted file mode 100644 index 9a75aa2c..00000000 --- a/tasks/octavia_certs.yml +++ /dev/null @@ -1,186 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# We set the python interpreter to the ansible runtime venv if -# the delegation is to localhost so that we get access to the -# appropriate python libraries in that venv. If the delegation -# is to another host, we assume that it is accessible by the -# system python instead. -- name: Prepare octavia_cert_setup_host for certificate generation - delegate_to: "{{ octavia_cert_setup_host }}" - delegate_facts: true - vars: - ansible_python_interpreter: >- - {{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }} - block: - - name: Create certificate directories - file: - path: "{{ item.path }}" - state: directory - mode: "{{ item.mode }}" - owner: "{{ octavia_cert_dir_owner }}" - with_items: - - { path: "{{ octavia_cert_dir }}", mode: '0750' } - - { path: "{{ octavia_cert_dir }}/newcerts", mode: '0750'} - - { path: "{{ octavia_cert_dir }}/private", mode: '0750'} - - # ansible's openssl_certificate can't create X509 extensions - # but you need CA: true in Basic Constraints to have a CA cert - - # set up openssl for use - - name: Touch index.txt - file: - path: "{{ octavia_cert_dir }}/index.txt" - state: touch - mode: 0755 - - - name: Init serial - copy: - content: "01" - dest: "{{ octavia_cert_dir }}/serial" - force: no - - - name: Generate openssl.conf - template: - src: "templates/openssl.conf.j2" - dest: "{{ octavia_cert_dir }}/openssl.cnf" - mode: 0440 - - - name: Create the server CA private key - openssl_privatekey: - path: "{{ octavia_ca_private_key }}" - passphrase: "{{ octavia_ca_private_key_passphrase }}" - cipher: "{{ octavia_cert_cipher_server }}" - size: "{{ octavia_cert_key_length_server }}" - - - name: Create server CA certificate - command: > - openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }} \ - -config {{ octavia_cert_dir }}/openssl.cnf \ - -subj "{{ octavia_cert_server_ca_subject }}" \ - -days {{ octavia_cert_validity_days }} \ - -out {{ octavia_ca_certificate }} - args: - chdir: "{{ octavia_cert_dir }}" - creates: "{{ octavia_ca_certificate }}" - - - name: Store octavia ca private key - slurp: - src: "{{ octavia_ca_private_key }}" - register: _octavia_ca_private_key - changed_when: false - - - name: Store octavia ca cert - slurp: - src: "{{ octavia_ca_certificate }}" - register: _octavia_ca_certificate - changed_when: false - - # same as octavia ca cert - - name: Store octavia server ca - slurp: - src: "{{ octavia_server_ca }}" - register: _octavia_server_ca - changed_when: false - - - name: Register a fact for the CA cert and key - set_fact: - octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}" - octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}" - octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}" - -# These are run at the very first installation of Octavia -# While Octavia acts as a CA for the server certificates, -# for the amphora it only needs a client certificate and -# the (public) certificate authority certificate. -# Generating the secret key here and storing it -# on the deploy host allows us to rotate the client -# certificate without recycling the amphora since -# we can keep the same CA. - -- name: Generate keys/certificates on octavia_cert_setup_host - delegate_to: "{{ octavia_cert_setup_host }}" - delegate_facts: true - vars: - ansible_python_interpreter: >- - {{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }} - when: octavia_generate_client_cert | bool - block: - - name: Create the client CAs private key - openssl_privatekey: - path: "{{ octavia_client_ca_key }}" - passphrase: "{{ octavia_cert_client_password }}" - cipher: "{{ octavia_cert_cipher_client }}" - size: "{{ octavia_cert_key_length_client }}" - - - name: Create client CA certificate - command: > - openssl req -x509 -passin pass:'{{ octavia_cert_client_password }}' -new -nodes -key {{ octavia_client_ca_key }} \ - -config {{ octavia_cert_dir }}/openssl.cnf \ - -subj "{{ octavia_cert_client_ca_subject }}" \ - -days {{ octavia_cert_validity_days }} \ - -out {{ octavia_client_ca }} - args: - chdir: "{{ octavia_cert_dir }}" - creates: "{{ octavia_client_ca }}" - - - name: Create the client cert private key - openssl_privatekey: - path: "{{ octavia_cert_dir }}/client.key" - size: "{{ octavia_cert_key_length_client }}" - - - name: Create client cert CSR - openssl_csr: - path: "{{ octavia_cert_dir }}/client.csr" - common_name: "{{ octavia_cert_client_req_common_name }}" - country_name: "{{ octavia_cert_client_req_country_name }}" - state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}" - locality_name: "{{ octavia_cert_client_req_locality_name }}" - organization_name: "{{ octavia_cert_client_req_organization_name }}" - privatekey_path: "{{ octavia_cert_dir }}/client.key" - - - name: Create client certificate - command: > - openssl ca -passin pass:'{{ octavia_ca_private_key_passphrase }}' -config {{ octavia_cert_dir }}/openssl.cnf \ - -in client.csr -days {{ octavia_cert_validity_days }} -out client-.pem -batch - args: - chdir: "{{ octavia_cert_dir }}" - creates: "{{ octavia_cert_dir }}/client-.pem" - - # use cat to avoid mangling the certs - - name: Generate single pem client.pem - shell: "cat client-.pem client.key >{{ octavia_client_cert }}" - args: - chdir: "{{ octavia_cert_dir }}" - creates: "{{ octavia_client_cert }}" - tags: - - skip_ansible_lint - - - name: Store octavia client ca - slurp: - src: "{{ octavia_client_ca }}" - register: _octavia_client_ca - changed_when: false - - - name: Store octavia client cert - slurp: - src: "{{ octavia_client_cert }}" - register: _octavia_client_cert - changed_when: false - - - name: Register a fact for the cert and key - set_fact: - octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}" - octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}" diff --git a/tasks/octavia_certs_distribute.yml b/tasks/octavia_certs_distribute.yml deleted file mode 100644 index ddb31f9b..00000000 --- a/tasks/octavia_certs_distribute.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- name: Create certs directory - file: - path: /etc/octavia/certs/ - state: directory - -- name: Copy certificates - copy: - content: "{{ item.content }}" - dest: "{{ item.dest }}" - owner: "{{ octavia_system_user_name }}" - group: "{{ octavia_system_group_name }}" - mode: "0640" - no_log: true - with_items: - - content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_private_key_fact'] }}" - dest: "/etc/octavia/certs/ca_key.pem" - - content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_certificate_fact'] }}" - dest: "/etc/octavia/certs/ca.pem" - - content: "{{ hostvars[octavia_cert_setup_host]['octavia_server_ca_fact'] }}" - dest: "/etc/octavia/certs/server_ca.pem" - - content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_ca_fact'] }}" - dest: "/etc/octavia/certs/client_ca.pem" - - content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_cert_fact'] }}" - dest: "/etc/octavia/certs/client.pem" - notify: - - Restart octavia services - - Restart uwsgi services diff --git a/templates/octavia.conf.j2 b/templates/octavia.conf.j2 index cbba15c7..6f5ae165 100644 --- a/templates/octavia.conf.j2 +++ b/templates/octavia.conf.j2 @@ -66,10 +66,10 @@ memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcached_encryption_key }} [certificates] -ca_certificate = /etc/octavia/certs/ca.pem +ca_certificate = /etc/octavia/certs/server_ca.pem ca_private_key = /etc/octavia/certs/ca_key.pem ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }} -signing_digest = {{ octavia_signing_digest }} +signing_digest = sha256 {% if octavia_barbican_enabled %} cert_manager = barbican_cert_manager endpoint_type = {{ octavia_clients_endpoint }} diff --git a/templates/openssl.conf.j2 b/templates/openssl.conf.j2 deleted file mode 100644 index a6d2c120..00000000 --- a/templates/openssl.conf.j2 +++ /dev/null @@ -1,263 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) -[ new_oids ] -# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 -# Policies used by the TSA examples. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section -#################################################################### -[ CA_default ] -dir = "{{ octavia_cert_dir }}" # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. -certificate = "{{ octavia_client_ca }}" # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = {{ octavia_client_ca_key }}# The private key -RANDFILE = $dir/private/.rand # private random number file -x509_extensions = usr_cert # The extensions to add to the cert -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options -# Extension copying option: use with caution. -# copy_extensions = copy -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) -# utf8only: only UTF8Strings (PKIX recommendation after 2004). -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. -string_mask = utf8only -# req_extensions = v3_req # The extensions to add to a certificate request -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State -localityName = Locality Name (eg, city) -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 -emailAddress = Email Address -emailAddress_max = 64 -# SET-ex3 = SET extension number 3 -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 -unstructuredName = An optional company name -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. -basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. -# This is OK for an SSL server. -# nsCertType = server -# For an object signing certificate this would be used. -# nsCertType = objsign -# For normal client use this is typical -# nsCertType = client, email -# and for everything including object signing: -# nsCertType = client, email, objsign -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move -# Copy subject details -# issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping -[ v3_req ] -# Extensions to add to a certificate request -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -[ v3_ca ] -# Extensions for a typical CA -# PKIX recommendation. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign -# Some might want this also -# nsCertType = sslCA, emailCA -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF -[ crl_ext ] -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. -basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. -# This is OK for an SSL server. -# nsCertType = server -# For an object signing certificate this would be used. -# nsCertType = objsign -# For normal client use this is typical -# nsCertType = client, email -# and for everything including object signing: -# nsCertType = client, email, objsign -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move -# Copy subject details -# issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo -#################################################################### -[ tsa ] -default_tsa = tsa_config1 # the default TSA section -[ tsa_config1 ] -# These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) \ No newline at end of file diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index f78f652b..d9a9cf24 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -18,8 +18,6 @@ - check-requirements - openstack-ansible-linters-jobs - openstack-ansible-deploy-aio_metal-jobs - # Need to add support of distro installs before - # adding the next job template - # - openstack-ansible-deploy-aio_distro_metal-jobs + - openstack-ansible-deploy-aio_distro_metal-jobs - publish-openstack-docs-pti - build-release-notes-jobs-python3