0256306ab8
In cases where TLS and IPv6 is enabled in the overcloud, quickstart still passed an IPv4 value for PublicVirtualFixedIps. This fixes that. Co-Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Co-Author: Sagi Shnaidman <sshnaidm@redhat.com> Change-Id: I09849c0915e7de7cf3b6de92457dfb5ff29f05ff
59 lines
1.9 KiB
Django/Jinja
Executable File
59 lines
1.9 KiB
Django/Jinja
Executable File
#!/bin/bash
|
|
|
|
set -eux
|
|
|
|
### --start_docs
|
|
## Generating the overcloud SSL Certificates
|
|
## =========================================
|
|
|
|
## * Generate a private key
|
|
## ::
|
|
|
|
openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
|
|
|
|
## * Generate a self-signed CA certificate
|
|
## ::
|
|
|
|
openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
|
|
-out {{ working_dir }}/overcloud-cacert.pem -days 365 \
|
|
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
|
|
|
|
## * Add the self-signed CA certificate to the undercloud's trusted certificate
|
|
## store.
|
|
## ::
|
|
|
|
sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
|
|
sudo update-ca-trust extract
|
|
|
|
## * Generate the leaf certificate request and key that will be used for the
|
|
## public VIP
|
|
## ::
|
|
|
|
{% set _vip = overcloud_public_vip %}
|
|
|
|
openssl req -newkey rsa:2048 -days 365 \
|
|
-nodes -keyout {{ working_dir }}/server-key.pem \
|
|
-out {{ working_dir }}/server-req.pem \
|
|
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{_vip}}" \
|
|
-reqexts subjectAltName \
|
|
-config <(printf "[subjectAltName]\nsubjectAltName=IP:{{_vip}}\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")
|
|
|
|
## * Process the server RSA key
|
|
## ::
|
|
|
|
openssl rsa -in {{ working_dir }}/server-key.pem \
|
|
-out {{ working_dir }}/server-key.pem
|
|
|
|
## * Sign the leaf certificate with the CA certificate and generate
|
|
## the certificate
|
|
## ::
|
|
|
|
openssl x509 -req -in server-req.pem -days 365 \
|
|
-CA {{ working_dir }}/overcloud-cacert.pem \
|
|
-CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
|
|
-set_serial 01 -out {{ working_dir }}/server-cert.pem \
|
|
-extensions subjectAltName \
|
|
-extfile <(printf "[subjectAltName]\nsubjectAltName=IP:{{_vip}}\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")
|
|
|
|
## --stop_docs
|