Custom api-listening-port breaks certificates relation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Cinder Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
Hi team,
After the deployment of cinder with config api-listening-
SSL exception connecting to https:/
Checking the certs assigned to this endpoint I see:
$ openssl s_client -connect cinder.
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 337 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I ran the action for Vault to reissue the certificates, it didn't help. Changing the port back to the default one - 8776 fixes this issue, but unfortunately this deployment requires port 443 for cinder.
Environment:
Ubuntu Jammy
Openstack Yoga
Juju 3.4.2
MAAS 3.4.1
Cinder charm yoga/stable rev 677
Vault charm 1.8/stable rev 209
I will attach the juju status.
Step to reproduce:
Deploy Cinder with custom port 443 and use Vault for certificates
Changed in charm-cinder: | |
importance: | Undecided → Medium |
Changed in charm-cinder: | |
status: | New → Triaged |
I had a quick poke around in the cinder context code, and in hooks/cinder_ context. py around line 130 we have:
class ApacheSSLContex t(SSLContext) : namespace = 'cinder'
interfaces = ['https']
external_ports = [8776]
service_
def __call__(self): enabled( 'api'): Context, self).__call__()
# late import to work around circular dependency
from cinder_utils import service_enabled
if not service_
return {}
return super(ApacheSSL
The ApacheSSLContext is the class that drives creation of the apache http vhost file. Apache handles the SSL termination, even in an haproxy-ed cluster.
I'd hazard a guess, but it would be good to confirm, that the apache conf file, when api-listening-port is set to 443, still lists 8776 as the listening port. This would be useful to confirm.
If not, then we'd need to do a deeper dive and try to recreate the issue.