Browse Source

Merge "Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"" into stable/stein

tags/10.6.1
Zuul 1 month ago
parent
commit
99e0eed40a

+ 1
- 1
deployment/nova/nova-libvirt-container-puppet.yaml View File

@@ -102,7 +102,7 @@ parameters:
102 102
     type: string
103 103
     description: Specifies the CA cert to use for NBD TLS.
104 104
   InternalTLSVncCAFile:
105
-    default: '/etc/ipa/ca.crt'
105
+    default: '/etc/pki/CA/certs/vnc.crt'
106 106
     type: string
107 107
     description: Specifies the CA cert to use for VNC TLS.
108 108
   InternalTLSQemuCAFile:

+ 1
- 1
deployment/nova/nova-vnc-proxy-container-puppet.yaml View File

@@ -51,7 +51,7 @@ parameters:
51 51
                  enable TLS transaport for libvirt VNC and configure the
52 52
                  relevant keys for libvirt.
53 53
   InternalTLSVncCAFile:
54
-    default: '/etc/ipa/ca.crt'
54
+    default: '/etc/pki/CA/certs/vnc.crt'
55 55
     type: string
56 56
     description: Specifies the CA cert to use for VNC TLS.
57 57
   LibvirtVncCACert:

+ 0
- 10
releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml View File

@@ -1,10 +0,0 @@
1
----
2
-fixes:
3
-  - |
4
-    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
5
-    requrested does not have the full CA chain and only have the free IPA
6
-    CA. As a result qemu which can not verify the vnc certificate sent by
7
-    the vnc-proxy. The issue is in certmonger as it does not return the full
8
-    CA chain.
9
-    As a workaround, until certmonger is fixed, this change points the
10
-    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.

Loading…
Cancel
Save