From b92aa0e5bc3baa72f93db706fa1e1b88bd9d6741 Mon Sep 17 00:00:00 2001 From: Harry Rybacki Date: Tue, 20 Aug 2019 18:55:00 +0000 Subject: [PATCH] Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt" We believe this change induced a regression[1] that is further breaking TripleO TLS-Everywhere deployments. Submitting a revert patch while we investigate and work on a more robust solution. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1743485 This reverts commit ade09f3a3405f47fa9524ef4baea155a4262175b. Change-Id: I1d8a3ec6655598f456736dbfdcdff0ca7d963288 --- deployment/nova/nova-libvirt-container-puppet.yaml | 2 +- deployment/nova/nova-vnc-proxy-container-puppet.yaml | 2 +- ...nternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml | 10 ---------- 3 files changed, 2 insertions(+), 12 deletions(-) delete mode 100644 releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 195bd6fef9..cb5a55cdde 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -102,7 +102,7 @@ parameters: type: string description: Specifies the CA cert to use for NBD TLS. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. InternalTLSQemuCAFile: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index affa273c9d..937a5257d5 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -51,7 +51,7 @@ parameters: enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. InternalTLSVncCAFile: - default: '/etc/ipa/ca.crt' + default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtVncCACert: diff --git a/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml b/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml deleted file mode 100644 index f8f832186f..0000000000 --- a/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -fixes: - - | - In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile - requrested does not have the full CA chain and only have the free IPA - CA. As a result qemu which can not verify the vnc certificate sent by - the vnc-proxy. The issue is in certmonger as it does not return the full - CA chain. - As a workaround, until certmonger is fixed, this change points the - InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.