ApacheSSLContext should use ssl_ca when set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Triaged
|
High
|
Unassigned | ||
OpenStack Keystone Charm |
Triaged
|
High
|
Unassigned |
Bug Description
A change to the openstack_
Even commercially signed certificates often have an intermediate signing certificate that must be configured to enable certificate validation. Concatenating the whole certificate chain including a CA certificate, an intermediate signing certificate, and the server certificate works for Apache.
However, in the OpenStack Charms the ssl_ca setting is used for more than just the Apache configuration. The ssl_ca gets installed on the unit as a Certificate Authority enabling intra-deployment communication. For example, allowing the cinder unit to communicate with keystone via https without certificate validation errors.
This is particularly important for self-signed (non-commercial) certificate authorities in an organization. The CA and any intermediate signing certificates must get installed as certificate authorities to allow intra-deployment communication. Even with commercially signed certificate authorities, an intermediate certificate may be required to be installed. That is the purpose of the ssl_ca configuration parameter.
This bug is to add intelligence to the ApacheSSLContext and the openstack_
Check if ssl_ca is set:
* Use ssl_ca as the SSLCertificateC
* If not set, set SSLCertificateC
This bug is also for updating any documentation that requires clarification on the above. Particularly making clear the requirement to set ssl_ca for intra-deployment communication.
[0] https:/
Changed in charm-keystone: | |
milestone: | 18.05 → 18.08 |
Changed in charm-keystone: | |
milestone: | 18.08 → 18.11 |
Changed in charm-keystone: | |
milestone: | 18.11 → 19.04 |
Changed in charm-keystone: | |
milestone: | 19.04 → 19.07 |
Changed in charm-keystone: | |
milestone: | 19.07 → 19.10 |
Changed in charm-keystone: | |
milestone: | 19.10 → 20.01 |
Changed in charm-keystone: | |
milestone: | 20.01 → 20.05 |
Changed in charm-keystone: | |
milestone: | 20.05 → 20.08 |
Changed in charm-keystone: | |
milestone: | 20.08 → none |
Adding keystone to get OpenStack charms on the radar. Keystone may or may not require documentation updates.