Fuel for OpenStack

Please allow uploading private trusted CA certificates when using TLS/SSL

Bug #1503023 reported by ggolin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Invalid
Medium
Stanislaw Bogatkin
Fuel for OpenStack 8.0

Bug Description

In Mirantis-7 using a certificate signed by an internal authority (unknown to fuel) causes the deployment to fail because of SSL verification errors. Please add a capability to import custom authority certificates when using TLS/SSL.

Veronica Krayneva (vkrayneva)
Changed in fuel:
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 8.0
importance: Undecided → High
importance: High → Medium
Revision history for this message
Dmitry Klenov (dklenov) wrote :

ggolin: can you please provide detailed steps you follow to reproduce the error?

Changed in fuel:
status: New → Incomplete
Revision history for this message
ggolin (greg-golin) wrote :

Here you go, dklenov:

1. Create an environment in fuel web UI
2. In the Settings page enable Public TLS for both Horizon and Public end points
3. Use your own certificate and key signed by an internal authority. This is important because if you use a known CA the failure should not occur.
4. Start the deployment

Deployment will fail with keystone error regarding not being able to verify the certificate authority with which you signed your certificate.

I should note that this problem can be solved by writing a very simple plugin that installs your CA certificates on the target nodes in the pre_deployment stage. This is what I am using in the interim.

Alex Schultz (alex-schultz)
Changed in fuel:
status: Incomplete → Confirmed
Matthew Mosesohn (raytrac3r)
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

There is not enough info. In our tests we use self-signed certs - fuel don't know anything about them. Process of adding certificates to trust chain is the same for generated and user certs. Could you please, give some more information about your keys, certs and error you met?

Dmitry Pyzhov (dpyzhov)
tags: added: area-library
Revision history for this message
ggolin (greg-golin) wrote :

I am sorry, how does a bug go from an incomplete to a confirmed status and then development states there is not enough information?

Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

Sorry for a long answer, Greg. Seems I got your question. You can add provide full chain of certificates to Fuel UI and then it will work right, because all this chain will be added to trusted for all nodes in whole environment. All you need to do is put
-----BEGIN YOUR CERTIFICATE-----
-----END YOUR CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

instead of just putting
-----BEGIN YOUR CERTIFICATE-----
-----END YOUR CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

in to the certificate field for OpenStack public endpoints

Changed in fuel:
status: Confirmed → Invalid
Revision history for this message
ggolin (greg-golin) wrote : Re: [Bug 1503023] Re: Please allow uploading private trusted CA certificates when using TLS/SSL

Very well, thank you. This needs to be added to the documentation, or the
UI should say something like "Upload certificate *chain*" because otherwise
this is not apparent.

On Thu, Nov 12, 2015 at 3:39 AM, Stanislaw Bogatkin <email address hidden>
wrote:

> Sorry for a long answer, Greg. Seems I got your question. You can add
> provide full chain of certificates to Fuel UI and then it will work right,
> because all this chain will be added to trusted for all nodes in whole
> environment. All you need to do is put
> -----BEGIN YOUR CERTIFICATE-----
> -----END YOUR CERTIFICATE-----
> -----BEGIN INTERMEDIATE CERTIFICATE-----
> -----END INTERMEDIATE CERTIFICATE-----
> -----BEGIN INTERMEDIATE CERTIFICATE-----
> -----END INTERMEDIATE CERTIFICATE-----
> -----BEGIN ROOT CERTIFICATE-----
> -----END ROOT CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> -----END RSA PRIVATE KEY-----
>
> instead of just putting
> -----BEGIN YOUR CERTIFICATE-----
> -----END YOUR CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> -----END RSA PRIVATE KEY-----
>
> in to the certificate field for OpenStack public endpoints
>
> ** Changed in: fuel
> Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1503023
>
> Title:
> Please allow uploading private trusted CA certificates when using
> TLS/SSL
>
> Status in Fuel for OpenStack:
> Invalid
>
> Bug description:
> In Mirantis-7 using a certificate signed by an internal authority
> (unknown to fuel) causes the deployment to fail because of SSL
> verification errors. Please add a capability to import custom
> authority certificates when using TLS/SSL.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/fuel/+bug/1503023/+subscriptions
>

--
    "The secret of getting ahead is getting started. The secret of getting
started is breaking your complex overwhelming tasks into small manageable
tasks, and then starting on the first one."

    - Mark Twain, humorist and author (1835 - 1910)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.