OpenStack Keystone Charm

  1. Bug #1919148
  2. Comment #0

Comment 0 for bug 1919148

Revision history for this message
Eric Desrochers (slashd) wrote : charm-keystones seems to produce more than 3 vhost for each endpoints

# charm-helpers src code:

{% for address, endpoint, ext, int in endpoints -%}
<VirtualHost {{ address }}:{{ ext }}>
ServerName {{ endpoint }}
SSLEngine on

# This section is based on Mozilla's recommendation
# as the "intermediate" profile as of July 7th, 2020.
# https://wiki.mozilla.org/Security/Server_Side_TLS
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
# See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
ProxyPass / http://localhost:{{ int }}/
ProxyPassReverse / http://localhost:{{ int }}/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
{% endfor -%}

Seems like there is a 'for loop' creating a vhost entry for each addresses found.

I'm not sure yet from where the charm consumes the addresses, but in this specific case I worked on. The user have more than 3 vhost (1 for each: admin, public, internal), he has in fact 6 vhosts, which cause redirection to fail and hit the wrong SSL certificate.

Only redirection to admin endpoints work 100% of the time. Most likely because the admin vhost are the first loaded in Apache2 (At the top of the config file). So public redirection will most likely fail all the time.

Leading to connection failure and OpenSSL errors as such:

# keystone-0's keystone logs
(keystone.common.wsgi): 2021-03-05 09:31:40,178 ERROR Command 'openssl' returned non-zero exit status 3
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 226, in __call__
result = method(req, **params)
File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 82, in inner
return f(self, request, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 361, in revocation_list
CONF.signing.keyfile)
File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 336, in cms_sign_text
signing_key_file_name, message_digest=message_digest)
File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 384, in cms_sign_data
raise subprocess.CalledProcessError(retcode, 'openssl')
CalledProcessError: Command 'openssl' returned non-zero exit status 3

"openstack endpoint list --service keystone" command report only 1 region with 3 endpoints, as it should.

Question is how charm-helper or charm-keystone manage to create that many vhosts ?
When it should have only created 3 of them.