Fuel for OpenStack

ssl_add_trust_chain task doesn't add internal and admin certificates in case of using selective SSL

Series 8.0.x
Bug #1528622

Bug #1528622 reported by Stanislaw Bogatkin on 2015-12-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	High	Stanislaw Bogatkin	Fuel for OpenStack 9.0
	8.0.x	Fix Committed	High	Stanislaw Bogatkin	Fuel for OpenStack 8.0-updates

Bug Description

If we use selective SSL data hash then certificates from it don't add to trusted chain for internal and admin endpoints, cause current implementation does it only for public endpoints.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-22: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/260607

Changed in fuel:
status:	New → In Progress

Stanislaw Bogatkin (sbogatkin) on 2015-12-22

Changed in fuel:
milestone:	none → 8.0

Maciej Relewicz (rlu) on 2015-12-23

tags:

added: area-library

Matthew Mosesohn (raytrac3r) on 2015-12-23

tags:

added: team-bugfix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-29: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/260607
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=65d1aa9911e31fb014ba9f62cf08f08dee31d51b
Submitter: Jenkins
Branch: master

commit 65d1aa9911e31fb014ba9f62cf08f08dee31d51b
Author: Stanislaw Bogatkin <email address hidden>
Date: Tue Dec 22 18:52:55 2015 +0300

Add all TLS certificates to trusted chain

Add internal and admin certificates to chain if use_ssl hash used

Change-Id: I8a713d00dbdadbe178a16fa7d19b59a559ef0c6f
Closes-Bug: #1528622

Changed in fuel:
status:	In Progress → Fix Committed

Stanislaw Bogatkin (sbogatkin) on 2015-12-29

Changed in fuel:
milestone:	8.0 → 9.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-29: Fix proposed to fuel-library (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/262236

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2015-12-29:

For 8.0 addressed by https://review.openstack.org/#/c/262236/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-14: Fix merged to fuel-library (stable/8.0)

Reviewed: https://review.openstack.org/262236
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=b8e3d867efda0abfa1552665ec0185ded6da8f50
Submitter: Jenkins
Branch: stable/8.0

commit b8e3d867efda0abfa1552665ec0185ded6da8f50
Author: Stanislaw Bogatkin <email address hidden>
Date: Tue Dec 22 18:52:55 2015 +0300

Add all TLS certificates to trusted chain

Add internal and admin certificates to chain if use_ssl hash used

    Change-Id: I8a713d00dbdadbe178a16fa7d19b59a559ef0c6f
    Closes-Bug: #1528622
    (cherry picked from commit 65d1aa9911e31fb014ba9f62cf08f08dee31d51b)

Mikhail Samoylov (msamoylov) on 2016-02-15

tags:

added: on-verification

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2016-02-16:

Seems it doesn't work in 8.0, cause https://bugs.launchpad.net/fuel/+bug/1528606 was not landed into 8.0 cycle. We should reimplement that fix first and then reverify this one.

Revision history for this message

Mikhail Samoylov (msamoylov) wrote on 2016-02-16:

Steps for verification:
1. Deploy any env
2. On any node generate SSL key and cert:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
For fqdn in cert you must use node hostname
3. Convert cert to pem
openssl pkcs12 -export -in domain.crt -inkey domain.key -out hostname.p12
openssl pkcs12 -in hostname.p12 -nodes -out hostname.pem

4. On any node add to astute.yaml config like this: http://paste.openstack.org/show/487105/
5. Run puppet job:
puppet apply -v /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving.pp
6. Run puppet job:
puppet apply -v /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp

Expected result:
All puppet job finished without errors.

tags:

removed: on-verification

Alex Schultz (alex-schultz) on 2016-06-14

tags:

added: on-verification

Revision history for this message

Alex Schultz (alex-schultz) wrote on 2016-06-14:

verified on iso #465

note: the data to be added to astute.yaml is in this format http://paste.openstack.org/show/516046/

Changed in fuel:
status:	Fix Committed → Fix Released
tags:	removed: on-verification

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.