Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"

We believe this change induced a regression[1] that is further breaking TripleO TLS-Everywhere deployments. Submitting a revert patch while we investigate and work on a more robust solution. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1743485 This reverts commit b93c672313. Change-Id: Ie46ae8b185d53adea6f0904a5e140957c6046c83
2019-08-20 18:56:34 +00:00 · 2019-08-20 18:56:34 +00:00 · ad1a53934f
parent b93c672313
commit ad1a53934f
5 changed files with 4 additions and 14 deletions
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -95,7 +95,7 @@ parameters:
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtCACert:
--- a/docker/services/nova-vnc-proxy.yaml
+++ b/docker/services/nova-vnc-proxy.yaml
@ -55,7 +55,7 @@ parameters:
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
  InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtVncCACert:
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@ -88,7 +88,7 @@ parameters:
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtCACert:
--- a/puppet/services/nova-vnc-proxy.yaml
+++ b/puppet/services/nova-vnc-proxy.yaml
@ -56,7 +56,7 @@ parameters:
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
  InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtVncCACert:
--- a/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml
+++ b/releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml
@ -1,10 +0,0 @@
---
-fixes:
-  - |
-    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
-    requrested does not have the full CA chain and only have the free IPA
-    CA. As a result qemu which can not verify the vnc certificate sent by
-    the vnc-proxy. The issue is in certmonger as it does not return the full
-    CA chain.
-    As a workaround, until certmonger is fixed, this change points the
-    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.