OpenStack-Ansible

Horizon Self-Signed Certificate uses deprecated SHA-1

Bug #1461983 reported by Christopher H. Laco on 2015-06-04

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Fix Released	Medium	Ian Cordasco
Icehouse	Fix Released	Medium	Ian Cordasco	OpenStack-Ansible 9.0.10
Juno	Fix Released	Medium	Ian Cordasco	OpenStack-Ansible 10.1.9
Kilo	Fix Released	Medium	Ian Cordasco	OpenStack-Ansible 11.0.3
Trunk	Fix Released	Medium	Ian Cordasco

Bug Description

The self-signed certificate generated for Horizon uses the deprecating SHA-1 fingerprint by default. As various clients start to treat that as insecure, we should move to using the SHA-2 fingerprints.

https://github.com/stackforge/os-ansible-deployment/blob/master/playbooks/roles/os_horizon/tasks/horizon_ssl_key_create.yml#L26

Revision history for this message

Ian Cordasco (icordasc) wrote on 2015-06-04:

For reference, https://security.stackexchange.com/questions/65271/can-a-csr-be-created-in-openssl-with-sha2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/190004

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix proposed to os-ansible-deployment (icehouse)

Fix proposed to branch: icehouse
Review: https://review.openstack.org/190005

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix proposed to os-ansible-deployment (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/190006

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/190007

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/190007
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=b7a46b42ec0a24b3971865fd91fc002edbda6e12
Submitter: Jenkins
Branch: kilo

commit b7a46b42ec0a24b3971865fd91fc002edbda6e12
Author: Ian Cordasco <email address hidden>
Date: Tue Jun 9 22:15:20 2015 -0500

Generate a SHA-2 certificate for Horizon

    SHA-1 certificates are being deprecated and browsers are starting to
    issue warnings about their use. We should begin generating SHA-2
    certificates for Horizon.

    Closes-bug: 1461983
    Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
    (cherry picked from commit ed29e8a3d9e9f102158e35f8b0ea7bd3ef278327)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to os-ansible-deployment (juno)

Reviewed: https://review.openstack.org/190006
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=dc862c803c6e9839f814ba31f2a2271b9d356611
Submitter: Jenkins
Branch: juno

commit dc862c803c6e9839f814ba31f2a2271b9d356611
Author: Ian Cordasco <email address hidden>
Date: Tue Jun 9 22:15:20 2015 -0500

Generate a SHA-2 certificate for Horizon

    SHA-1 certificates are being deprecated and browsers are starting to
    issue warnings about their use. We should begin generating SHA-2
    certificates for Horizon.

    Closes-bug: 1461983
    Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
    (cherry picked from commit ed29e8a3d9e9f102158e35f8b0ea7bd3ef278327)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to os-ansible-deployment (icehouse)

Reviewed: https://review.openstack.org/190005
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=0977e2ab5545f4653fdf6c1b17d37b9fa8abe26d
Submitter: Jenkins
Branch: icehouse

commit 0977e2ab5545f4653fdf6c1b17d37b9fa8abe26d
Author: Ian Cordasco <email address hidden>
Date: Tue Jun 9 22:15:20 2015 -0500

Generate a SHA-2 certificate for Horizon

    SHA-1 certificates are being deprecated and browsers are starting to
    issue warnings about their use. We should begin generating SHA-2
    certificates for Horizon.

    Closes-bug: 1461983
    Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
    (cherry picked from commit ed29e8a3d9e9f102158e35f8b0ea7bd3ef278327)
    (cherry picked from commit dc862c803c6e9839f814ba31f2a2271b9d356611)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/190004
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=d81c195407c8a0922140e6d845e00a084d6f81e2
Submitter: Jenkins
Branch: master

commit d81c195407c8a0922140e6d845e00a084d6f81e2
Author: Ian Cordasco <email address hidden>
Date: Tue Jun 9 22:15:20 2015 -0500

Generate a SHA-2 certificate for Horizon

    SHA-1 certificates are being deprecated and browsers are starting to
    issue warnings about their use. We should begin generating SHA-2
    certificates for Horizon.

Closes-bug: 1461983
Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 11.2.14

#10

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.