OpenStack Keystone Charm

is_cert_provided_in_config check is too strict, ssl_ca should be optional

Bug #1711354 reported by Nobuto Murata on 2017-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone Charm	Fix Released	Medium	Nobuto Murata	OpenStack Keystone Charm 17.11

Bug Description

[hooks/keystone_context.py]
     52 def is_cert_provided_in_config():
     53 ca = config('ssl_ca')
     54 cert = config('ssl_cert')
     55 key = config('ssl_key')
     56 return bool(ca and cert and key)

When configuring SSL, keystone charm skips the configuration when ssl_ca is not provided in the charm config. ssl_ca is unnecessary when OS already has a root CA, e.g. GeoTrust.

Tags:

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-08-17:

https://review.openstack.org/#/c/494514/

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-08-17:

Otherwise, non-leader units will be blocked with "Services not running that should be: apache2" because /etc/apache2/ssl/keystone/ is empty.

Billy Olsen (billy-olsen) on 2017-09-02

Changed in charm-keystone:
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Nobuto Murata (nobuto)

Nobuto Murata (nobuto) on 2017-09-28

tags:

added: cpe-onsite

James Page (james-page) on 2017-10-09

Changed in charm-keystone:
assignee:	Nobuto Murata (nobuto) → James Page (james-page)

James Page (james-page) on 2017-10-31

Changed in charm-keystone:
assignee:	James Page (james-page) → nobody
status:	In Progress → Triaged

Edward Hope-Morley (hopem) on 2017-11-01

Changed in charm-keystone:
assignee:	nobody → Nobuto Murata (nobuto)
status:	Triaged → In Progress
milestone:	none → 17.11

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-01: Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/494514
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=9a0563bf450e2138e4d67682641de617364ae05f
Submitter: Zuul
Branch: master

commit 9a0563bf450e2138e4d67682641de617364ae05f
Author: Nobuto Murata <email address hidden>
Date: Thu Aug 17 19:24:52 2017 +0700

Make ssl_ca optional if ssl_cert+ssl_key provided

    ssl_ca is not necessary when ssl_cert is signed by
    a trusted CA, such as GeoTrust, because a trusted
    cert chain is in the system already. Users can just
    provide ssl_cert and ssl_key to enable SSL endpoint
    in that case.

Closes-Bug: #1711354
Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf

Changed in charm-keystone:
status:	In Progress → Fix Committed

James Page (james-page) on 2017-12-01

Changed in charm-keystone:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.