Fails to verify certificates for internal and admin endpoints when using Vault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gnocchi Charm |
Fix Released
|
Critical
|
David Ames | ||
OpenStack AODH Charm |
Fix Released
|
Critical
|
David Ames | ||
OpenStack Designate Charm |
Fix Released
|
Critical
|
David Ames | ||
OpenStack Placement Charm |
Fix Released
|
Critical
|
David Ames | ||
charms.openstack |
Fix Released
|
Critical
|
David Ames |
Bug Description
When Vault is used as a Root CA, the expectation is that all certifications and keys for Placements endpoints are created as the other OpenStack components.
However, with the example bundle[0], certifications and keys were not created for internal and admin endpoint.
Here is the output of /etc/apache2/
$ ll /etc/apache2/
total 10
dr-xr-xr-x 2 root root 10 Mar 10 03:52 ./
dr-xr-xr-x 3 root root 3 Mar 10 03:52 ../
-rw-r----- 1 root placement 1483 Mar 10 03:53 cert_juju-
lrwxrwxrwx 1 root root 49 Mar 10 03:52 cert_placement-
lrwxrwxrwx 1 root root 49 Mar 10 03:52 cert_placement-
lrwxrwxrwx 1 root root 49 Mar 10 03:52 cert_placement.test -> /etc/apache2/
-rw-r----- 1 root placement 1678 Mar 10 03:53 key_juju-
lrwxrwxrwx 1 root root 48 Mar 10 03:52 key_placement-
lrwxrwxrwx 1 root root 48 Mar 10 03:52 key_placement-
lrwxrwxrwx 1 root root 48 Mar 10 03:52 key_placement.test -> /etc/apache2/
As you can see, only one cert and key are created and all others are just a link to that.
Because of this, internal endpoint is not reachable, and fails to create instances.
summary: |
- Fails to create certificates and keys for internal and admin endpoints - when using Vault + Fails to verify certificates for internal and admin endpoints when using + Vault |
description: | updated |
Changed in charms.openstack: | |
status: | In Progress → Fix Committed |
Changed in charm-gnocchi: | |
status: | Fix Committed → Fix Released |
Changed in charm-designate: | |
status: | Fix Committed → Fix Released |
Changed in charm-aodh: | |
status: | Fix Committed → Fix Released |
I have attached the output of
$ sudo openssl x509 -in /etc/apache2/ ssl/placement/ cert_juju- 6f67e2- 2.lxd -noout -text
As you can see, there is no subject name for admin and internal hostnames.
-- EXCERPT -- placement. test, DNS:placement.test, IP Address: 172.31. 16.205
Subject: CN = placement.test
-- SKIP --
X509v3 Subject Alternative Name:
DNS:
-- SKIP --