Need to support multiple certificate in "trusted_ssl_ca" option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-openstack-service-checks |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Currently, "trusted_ssl_ca" is only effective when there's only one certificate in it. If multiple certificates are set in "trusted_ssl_ca", the certificates', for example by doing
```
cat root_ca_1.crt root_ca_2.crt > multiple_
```
, the symbolic links will not be properly created in "/etc/ssl/certs" because `update-
However, the symbolic links are important to `check_ssl_cert` in verifying the certificate chain. If the symbolic links are missing, it will cause `check_ssl_cert` to report errors like "unable to get local issuer certificate".
We need supports for setting multiple certificates in "trusted_ssl_ca". For example, the charm code should be able to split the "trusted_ssl_ca" content containing multiple certificates into multiple files containing single certificate. This will allow symbolic links to be created properly.
description: | updated |
summary: |
- Need to support combined certificate in "trusted_ssl_cert" option + Need to support combined certificate in "trusted_ssl_ca" option |
Changed in charm-openstack-service-checks: | |
status: | New → Triaged |
summary: |
- Need to support combined certificate in "trusted_ssl_ca" option + Need to support multiple certificate in "trusted_ssl_ca" option |
description: | updated |
What's the actual use case of this? Like each OpenStack endpoints are signed by different CA trusted chains?
Usually importing one CA is fine and any intermediate CAs should be sent by the endpoints themselves.