Browse Source

Merge "Point InternalTLSVncCAFile to /etc/ipa/ca.crt" into stable/rocky

tags/9.4.1
Zuul 1 month ago
parent
commit
30ce332894

+ 1
- 1
docker/services/nova-libvirt.yaml View File

@@ -97,7 +97,7 @@ parameters:
97 97
     description: Specifies the default CA cert to use if TLS is used for
98 98
                  services in the internal network.
99 99
   InternalTLSVncCAFile:
100
-    default: '/etc/pki/CA/certs/vnc.crt'
100
+    default: '/etc/ipa/ca.crt'
101 101
     type: string
102 102
     description: Specifies the CA cert to use for VNC TLS.
103 103
   LibvirtCACert:

+ 1
- 1
docker/services/nova-vnc-proxy.yaml View File

@@ -55,7 +55,7 @@ parameters:
55 55
                  enable TLS transaport for libvirt VNC and configure the
56 56
                  relevant keys for libvirt.
57 57
   InternalTLSVncCAFile:
58
-    default: '/etc/pki/CA/certs/vnc.crt'
58
+    default: '/etc/ipa/ca.crt'
59 59
     type: string
60 60
     description: Specifies the CA cert to use for VNC TLS.
61 61
   LibvirtVncCACert:

+ 1
- 1
puppet/services/nova-libvirt.yaml View File

@@ -88,7 +88,7 @@ parameters:
88 88
     description: Specifies the default CA cert to use if TLS is used for
89 89
                  services in the internal network.
90 90
   InternalTLSVncCAFile:
91
-    default: '/etc/pki/CA/certs/vnc.crt'
91
+    default: '/etc/ipa/ca.crt'
92 92
     type: string
93 93
     description: Specifies the CA cert to use for VNC TLS.
94 94
   LibvirtCACert:

+ 1
- 1
puppet/services/nova-vnc-proxy.yaml View File

@@ -56,7 +56,7 @@ parameters:
56 56
                  enable TLS transaport for libvirt VNC and configure the
57 57
                  relevant keys for libvirt.
58 58
   InternalTLSVncCAFile:
59
-    default: '/etc/pki/CA/certs/vnc.crt'
59
+    default: '/etc/ipa/ca.crt'
60 60
     type: string
61 61
     description: Specifies the CA cert to use for VNC TLS.
62 62
   LibvirtVncCACert:

+ 10
- 0
releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml View File

@@ -0,0 +1,10 @@
1
+---
2
+fixes:
3
+  - |
4
+    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
5
+    requrested does not have the full CA chain and only have the free IPA
6
+    CA. As a result qemu which can not verify the vnc certificate sent by
7
+    the vnc-proxy. The issue is in certmonger as it does not return the full
8
+    CA chain.
9
+    As a workaround, until certmonger is fixed, this change points the
10
+    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.

Loading…
Cancel
Save