From ad1a53934f6cb74efbfc72defce65d5474de0c88 Mon Sep 17 00:00:00 2001 From: Harry Rybacki Date: Tue, 20 Aug 2019 18:56:34 +0000 Subject: [PATCH] Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt" We believe this change induced a regression[1] that is further breaking TripleO TLS-Everywhere deployments. Submitting a revert patch while we investigate and work on a more robust solution. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1743485 This reverts commit b93c672313ae2925de7e7c844e19b6a0484b5eae. Change-Id: Ie46ae8b185d53adea6f0904a5e140957c6046c83 --- docker/services/nova-libvirt.yaml | 2 +- docker/services/nova-vnc-proxy.yaml | 2 +- puppet/services/nova-libvirt.yaml | 2 +- puppet/services/nova-vnc-proxy.yaml | 2 +- ...nternalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml | 10 ---------- 5 files changed, 4 insertions(+), 14 deletions(-) delete mode 100644 releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 04db6c5b09..7a73c75244 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -95,7 +95,7 @@ parameters: description: Specifies the default CA cert to use if TLS is used for services in the internal network. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtCACert: diff --git a/docker/services/nova-vnc-proxy.yaml b/docker/services/nova-vnc-proxy.yaml index 36def83f43..a48b22cf0e 100644 --- a/docker/services/nova-vnc-proxy.yaml +++ b/docker/services/nova-vnc-proxy.yaml @@ -55,7 +55,7 @@ parameters: enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtVncCACert: diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index e012573c11..45f3bac60a 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -88,7 +88,7 @@ parameters: description: Specifies the default CA cert to use if TLS is used for services in the internal network. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtCACert: diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index 763dbab6d8..2a57b23a99 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -56,7 +56,7 @@ parameters: enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtVncCACert: diff --git a/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml b/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml deleted file mode 100644 index f8f832186f..0000000000 --- a/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -fixes: - - | - In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile - requrested does not have the full CA chain and only have the free IPA - CA. As a result qemu which can not verify the vnc certificate sent by - the vnc-proxy. The issue is in certmonger as it does not return the full - CA chain. - As a workaround, until certmonger is fixed, this change points the - InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.