Certmonger post-save command does not work with renewals
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Juan Antonio Osorio Robles |
Bug Description
with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_
This is an issue for all certificates requested by certmonger, and it was due to having wrong assumptions about how the post-save command works with certmonger (it doesn't spawn a subshell).
So, this is an issue for the overcloud as well, with TLS everywhere.
Changed in tripleo: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Juan Antonio Osorio Robles (juan-osorio-robles) |
milestone: | none → stein-2 |
milestone: | stein-2 → stein-3 |
Juan Antonio Osorio Robles (juan-osorio-robles) wrote : | #1 |
summary: |
- Certmonger post-save command does not work automatically after CA cert - renewal + Certmonger post-save command does not work with renewals |
description: | updated |
Changed in tripleo: | |
status: | Confirmed → In Progress |
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #2 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #3 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #4 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #5 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #6 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #7 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #8 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #9 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #10 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master) | #11 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 648dfa2bdc0b4f4
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500
Reload haproxy when certificate is renewed
This adds an explicit post-save command that was introduced in the
patch this depends on.
Preferably this patch should merge at the same time as the one this
depends on.
Related-Bug: #1811401
Co-Authored-By: Grzegorz Grasza <email address hidden>
Depends-On: I5d91f8d9b5cd4f
Change-Id: Id409899bf04e7f
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master) | #12 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit f1f4a6ccb88e3fc
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200
httpd: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: I862f0d15f76916
Change-Id: I642f48aa0e66ca
OpenStack Infra (hudson-openstack) wrote : | #13 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 801391a13eec513
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100
rabbitmq: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf
Change-Id: Id06633a1adaafe
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master) | #14 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 514f99c57515148
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200
TLS everywhere: Set post-save command for httpd
The default command wasn't working, so here we set one that will
actually work.
httpd is a fairly simple instance, since the certs are mounted from the
directory (and not the individual certs). So there is no need to copy
anything to the container or do any post-processing. All we need to do
is tell httpd to load the new certs.
Related-Bug: #1811401
Depends-On: I642f48aa0e66ca
Change-Id: I862f0d15f76916
OpenStack Infra (hudson-openstack) wrote : | #15 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 03c54b80676bdd3
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100
TLS everywhere: Set post-save command for RabbitMQ
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: Id06633a1adaafe
Change-Id: I3e564f9a5abdbf
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #16 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #17 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master) | #18 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 4deea3a46babe9f
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100
redis: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Needed-By: I49811a6cab5416
Change-Id: I437d69fef45d16
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master) | #19 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit f7fb7675411262b
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100
TLS everywhere: Set post-save command for redis
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: I437d69fef45d16
Change-Id: I49811a6cab5416
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #20 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master) | #21 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master) | #22 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 8fa561f8f028a73
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Jan 31 14:38:25 2019 +0200
Remove default post-save command from mysql
That was not being used. The new certificate will be picked up when
mysql is restarted (which would happen on an upgrade).
Change-Id: If4ca3e9f0c248a
Related-Bug: #1811401
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master) | #23 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 4cfa7c066fbb603
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200
certmonger: Don't restart haproxy on cert renewal
This is not needed for the external cert. Reloading is enough.
Change-Id: I3b9f0650cfa102
Related-Bug: #1811401
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master) | #24 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit e6306badac719a7
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100
novnc-proxy: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: Idc0844c8726aa5
Change-Id: Ifacbee9e31d84b
OpenStack Infra (hudson-openstack) wrote : | #25 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 7cc4a3da6f6f458
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100
neutron dhcpd: Add script for certmonger postsave_cmd
The default update procedure didn't work, so are fixing that.
Related-Bug: #1811401
Needed-By: I449df13ea2c49a
Change-Id: I9954cf33efedf2
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master) | #26 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit a76a0a1270499ef
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100
TLS everywhere: Set post-save command for nova-vnc-proxy
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: Ifacbee9e31d84b
Change-Id: Idc0844c8726aa5
OpenStack Infra (hudson-openstack) wrote : | #27 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit ce1e7eafe6e02f9
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100
TLS everywhere: Set post-save command for neutron dhcpd
The default procedure wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: I9954cf33efedf2
Change-Id: I449df13ea2c49a
OpenStack Infra (hudson-openstack) wrote : | #28 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit fff1df6ee07a490
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100
TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt
We need to mount the whole directory inside the libvirt container,
so that when new certificates are generated, they could be accessed from
within the container.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Change-Id: I3f1e7511d56f9a
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/rocky) | #29 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #30 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #31 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #32 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #33 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #34 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #35 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/rocky) | #36 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #37 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #38 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #39 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #40 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens) | #41 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #42 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #43 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #44 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #45 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens) | #46 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #47 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #48 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #49 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #50 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #51 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #52 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens) | #53 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 21b6a8bc3d4455c
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200
httpd: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: I862f0d15f76916
Change-Id: I642f48aa0e66ca
(cherry picked from commit f1f4a6ccb88e3fc
tags: | added: in-stable-queens |
OpenStack Infra (hudson-openstack) wrote : | #54 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 7c315b86575f379
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100
rabbitmq: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf
Change-Id: Id06633a1adaafe
(cherry picked from commit 801391a13eec513
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/rocky) | #55 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit f7c71486cf601a7
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200
httpd: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: I862f0d15f76916
Change-Id: I642f48aa0e66ca
(cherry picked from commit f1f4a6ccb88e3fc
tags: | added: in-stable-rocky |
OpenStack Infra (hudson-openstack) wrote : | #56 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 219c0f483c5924f
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100
rabbitmq: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf
Change-Id: Id06633a1adaafe
(cherry picked from commit 801391a13eec513
OpenStack Infra (hudson-openstack) wrote : | #57 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 763467d7ac5f47e
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100
redis: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Needed-By: I49811a6cab5416
Change-Id: I437d69fef45d16
(cherry picked from commit 4deea3a46babe9f
OpenStack Infra (hudson-openstack) wrote : | #58 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 381a1e0a2b5fb3e
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100
novnc-proxy: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: Idc0844c8726aa5
Change-Id: Ifacbee9e31d84b
(cherry picked from commit e6306badac719a7
OpenStack Infra (hudson-openstack) wrote : | #59 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit f6ff6ca960f5e0f
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100
neutron dhcpd: Add script for certmonger postsave_cmd
The default update procedure didn't work, so are fixing that.
Related-Bug: #1811401
Needed-By: I449df13ea2c49a
Change-Id: I9954cf33efedf2
(cherry picked from commit 7cc4a3da6f6f458
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens) | #60 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit b225459fd933647
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100
redis: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Needed-By: I49811a6cab5416
Change-Id: I437d69fef45d16
(cherry picked from commit 4deea3a46babe9f
OpenStack Infra (hudson-openstack) wrote : | #61 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 7b3095d64c4f952
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100
novnc-proxy: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.
Related-Bug: #1811401
Needed-By: Idc0844c8726aa5
Change-Id: Ifacbee9e31d84b
(cherry picked from commit e6306badac719a7
OpenStack Infra (hudson-openstack) wrote : | #62 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 67079ac516dd91b
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100
neutron dhcpd: Add script for certmonger postsave_cmd
The default update procedure didn't work, so are fixing that.
Related-Bug: #1811401
Needed-By: I449df13ea2c49a
Change-Id: I9954cf33efedf2
(cherry picked from commit 7cc4a3da6f6f458
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens) | #63 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit c9dbc7d6bda8a35
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500
Reload haproxy when certificate is renewed
This adds an explicit post-save command that was introduced in the
patch this depends on.
Preferably this patch should merge at the same time as the one this
depends on.
Related-Bug: #1811401
Co-Authored-By: Grzegorz Grasza <email address hidden>
Depends-On: I5d91f8d9b5cd4f
Change-Id: Id409899bf04e7f
(cherry picked from commit 648dfa2bdc0b4f4
OpenStack Infra (hudson-openstack) wrote : | #64 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 7620f63f8ad0735
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200
TLS everywhere: Set post-save command for httpd
The default command wasn't working, so here we set one that will
actually work.
httpd is a fairly simple instance, since the certs are mounted from the
directory (and not the individual certs). So there is no need to copy
anything to the container or do any post-processing. All we need to do
is tell httpd to load the new certs.
Related-Bug: #1811401
Depends-On: I642f48aa0e66ca
Change-Id: I862f0d15f76916
(cherry picked from commit 514f99c57515148
OpenStack Infra (hudson-openstack) wrote : | #65 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 853b22835727676
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100
TLS everywhere: Set post-save command for RabbitMQ
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: Id06633a1adaafe
Change-Id: I3e564f9a5abdbf
(cherry picked from commit 03c54b80676bdd3
OpenStack Infra (hudson-openstack) wrote : | #66 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 018b6711a71eb51
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100
TLS everywhere: Set post-save command for redis
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: I437d69fef45d16
Change-Id: I49811a6cab5416
(cherry picked from commit f7fb7675411262b
OpenStack Infra (hudson-openstack) wrote : | #67 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit f0e5aa5e006b88c
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100
TLS everywhere: Set post-save command for nova-vnc-proxy
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: Ifacbee9e31d84b
Change-Id: Idc0844c8726aa5
(cherry picked from commit a76a0a1270499ef
OpenStack Infra (hudson-openstack) wrote : | #68 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit ea5fe24f2c9511e
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100
TLS everywhere: Set post-save command for neutron dhcpd
The default procedure wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: I9954cf33efedf2
Change-Id: I449df13ea2c49a
(cherry picked from commit ce1e7eafe6e02f9
OpenStack Infra (hudson-openstack) wrote : | #69 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 8d4e0a737ad0035
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100
TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt
We need to mount the whole directory inside the libvirt container,
so that when new certificates are generated, they could be accessed from
within the container.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Change-Id: I3f1e7511d56f9a
(cherry picked from commit fff1df6ee07a490
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/rocky) | #70 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 64e564aaf190e0f
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500
Reload haproxy when certificate is renewed
This adds an explicit post-save command that was introduced in the
patch this depends on.
Preferably this patch should merge at the same time as the one this
depends on.
Related-Bug: #1811401
Co-Authored-By: Grzegorz Grasza <email address hidden>
Depends-On: I5d91f8d9b5cd4f
Change-Id: Id409899bf04e7f
(cherry picked from commit 648dfa2bdc0b4f4
OpenStack Infra (hudson-openstack) wrote : | #71 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 6be616a38c5e6e3
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200
TLS everywhere: Set post-save command for httpd
The default command wasn't working, so here we set one that will
actually work.
httpd is a fairly simple instance, since the certs are mounted from the
directory (and not the individual certs). So there is no need to copy
anything to the container or do any post-processing. All we need to do
is tell httpd to load the new certs.
Related-Bug: #1811401
Depends-On: I642f48aa0e66ca
Change-Id: I862f0d15f76916
(cherry picked from commit 514f99c57515148
OpenStack Infra (hudson-openstack) wrote : | #72 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit a1430fbf6015516
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100
TLS everywhere: Set post-save command for RabbitMQ
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: Id06633a1adaafe
Change-Id: I3e564f9a5abdbf
(cherry picked from commit 03c54b80676bdd3
OpenStack Infra (hudson-openstack) wrote : | #73 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 8d06db25a180c27
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100
TLS everywhere: Set post-save command for redis
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Depends-On: I437d69fef45d16
Change-Id: I49811a6cab5416
(cherry picked from commit f7fb7675411262b
OpenStack Infra (hudson-openstack) wrote : | #74 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 5a2e205c11ccb1d
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100
TLS everywhere: Set post-save command for nova-vnc-proxy
The default command wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: Ifacbee9e31d84b
Change-Id: Idc0844c8726aa5
(cherry picked from commit a76a0a1270499ef
OpenStack Infra (hudson-openstack) wrote : | #75 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit d07af320a4d6658
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100
TLS everywhere: Set post-save command for neutron dhcpd
The default procedure wasn't working, here we set one that will actually work.
The script additionally copies the certificates in the right place.
Related-Bug: #1811401
Depends-On: I9954cf33efedf2
Change-Id: I449df13ea2c49a
(cherry picked from commit ce1e7eafe6e02f9
OpenStack Infra (hudson-openstack) wrote : | #76 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 3bd4a2a8bf84aab
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100
TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt
We need to mount the whole directory inside the libvirt container,
so that when new certificates are generated, they could be accessed from
within the container.
Related-Bug: #1811401
Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
Change-Id: I3f1e7511d56f9a
(cherry picked from commit fff1df6ee07a490
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/rocky) | #77 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens) | #78 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens) | #79 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit f10d3c3d547153f
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200
certmonger: Don't restart haproxy on cert renewal
This is not needed for the external cert. Reloading is enough.
Change-Id: I3b9f0650cfa102
Related-Bug: #1811401
(cherry picked from commit 4cfa7c066fbb603
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/rocky) | #80 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 82a648fcccef72f
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200
certmonger: Don't restart haproxy on cert renewal
This is not needed for the external cert. Reloading is enough.
Change-Id: I3b9f0650cfa102
Related-Bug: #1811401
(cherry picked from commit 4cfa7c066fbb603
Changed in tripleo: | |
status: | In Progress → Fix Released |
These two address HAProxy: https:/ /review. openstack. org/623352 https:/ /review. openstack. org/623353