OpenStack Dashboard Charm

SSL certificate and key without custom-defined CA are not installed

Bug #1811994 reported by Niels van Adrichem on 2019-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard Charm	Invalid	Medium	Niels van Adrichem	OpenStack Dashboard Charm 19.04

Bug Description

Since commit https://github.com/openstack/charm-openstack-dashboard/commit/5083662c27969371d8503071e0b607443ed68429 the SSL certificate and key defined in config options ssl_cert and ssl_key are not installed anymore if there also isn't a custom-defined CA. When unmet, Horizon will use a self-signed SSL certificate and key.

I believe this behaviour is incorrect, when using keys and certificates signed by a public CA there is no need for a custom-defined CA. Additionally, the documentation does not mention the requirement of a CA and other charms containing ssl_cert and ssl_key configuration also do not require this.

I already made and submitted a patch with tests for review to Gerrit at https://review.openstack.org/#/c/631216/. I'll amend it with the appropriate reference to this bug.

Revision history for this message

James Page (james-page) wrote on 2019-03-05:

Thanks for the patch - I've assigned this bug to you and landed your review into the master branch.

If you would like to follow the process for cherry-picking to stable/18.11 I'll review that as well!

Changed in charm-openstack-dashboard:
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Niels van Adrichem (nvanadrichem)
milestone:	none → 19.04

Revision history for this message

Niels van Adrichem (nvanadrichem) wrote on 2019-03-18:

In the time between me sending the git-review and the merge attempt to master by Zuul, this functionality appears completely offloaded to the charmhelpers.contrib.context module, where a class ApacheSSLContext exists. Although I haven't tested it personally, the charm-helpers code suggests this error does not exist anymore. Even if the bug lives on in charm-helpers, it should propably be fixed there and have the appropriate tests in there as well. Hence, I don't think it is relevant anymore for the master branch.

However, it is still appropriate for stable/18.11. Let me know which steps I should take to have it reviewed specifically for stable/18.11. Otherwise, I think we can close this bug and the review.

Revision history for this message

Frode Nordahl (fnordahl) wrote on 2019-04-03:

The charm has indeed been changed to use the ``ApacheSSLContext`` from ``charmhelpers.contrib.openstack.context``.

That implementation does allow you to specify ``ssl_cert`` and ``ssl_key`` without ``ssl_ca``.

I believe the ``stable/18.11`` did have code for this too? Regardless, the release of ``stable/19.04`` is imminent so if there is indeed an issue with the ``stable/18.11`` implementation I would advice to await the 19.04 charms release.

Changed in charm-openstack-dashboard:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-09: Change abandoned on charm-openstack-dashboard (master)

Change abandoned by "Billy Olsen <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/631216
Reason: Abandoning change due to obsolete

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.