Merge "Point InternalTLSVncCAFile to /etc/ipa/ca.crt" into stable/rocky

2019-08-13 01:38:02 +00:00 · 2019-08-13 01:38:02 +00:00 · 30ce332894
parent fd89ec0aaa b93c672313
commit 30ce332894
5 changed files with 14 additions and 4 deletions
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -97,7 +97,7 @@ parameters:
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtCACert:
--- a/docker/services/nova-vnc-proxy.yaml
+++ b/docker/services/nova-vnc-proxy.yaml
@ -55,7 +55,7 @@ parameters:
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
  InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtVncCACert:
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@ -88,7 +88,7 @@ parameters:
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtCACert:
--- a/puppet/services/nova-vnc-proxy.yaml
+++ b/puppet/services/nova-vnc-proxy.yaml
@ -56,7 +56,7 @@ parameters:
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
  InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtVncCACert:
--- a/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml
+++ b/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml
@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
+    requrested does not have the full CA chain and only have the free IPA
+    CA. As a result qemu which can not verify the vnc certificate sent by
+    the vnc-proxy. The issue is in certmonger as it does not return the full
+    CA chain.
+    As a workaround, until certmonger is fixed, this change points the
+    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.