ApacheSSLContext should use ssl_ca when set

Bug #1756137 reported by David Ames on 2018-03-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
OpenStack keystone charm

Bug Description

A change to the openstack_https_frontend was merged [0] which points SSLCertificateChainFile at the certificate file rather than what is set in ssl_ca. While this works in some cases it is misleading as ssl_ca is required for intra-deployment communication.

Even commercially signed certificates often have an intermediate signing certificate that must be configured to enable certificate validation. Concatenating the whole certificate chain including a CA certificate, an intermediate signing certificate, and the server certificate works for Apache.

However, in the OpenStack Charms the ssl_ca setting is used for more than just the Apache configuration. The ssl_ca gets installed on the unit as a Certificate Authority enabling intra-deployment communication. For example, allowing the cinder unit to communicate with keystone via https without certificate validation errors.

This is particularly important for self-signed (non-commercial) certificate authorities in an organization. The CA and any intermediate signing certificates must get installed as certificate authorities to allow intra-deployment communication. Even with commercially signed certificate authorities, an intermediate certificate may be required to be installed. That is the purpose of the ssl_ca configuration parameter.

This bug is to add intelligence to the ApacheSSLContext and the openstack_https_frontend that does the following:

Check if ssl_ca is set:
* Use ssl_ca as the SSLCertificateChainFile if it is set.
* If not set, set SSLCertificateChainFile to the certificate file (as it does now) and possibly log a warning.

This bug is also for updating any documentation that requires clarification on the above. Particularly making clear the requirement to set ssl_ca for intra-deployment communication.

[0] https://github.com/juju/charm-helpers/commit/8229249ac4a0bbb54f343766f9f65ee448f3d720

David Ames (thedac) wrote :

Adding keystone to get OpenStack charms on the radar. Keystone may or may not require documentation updates.

Changed in charm-helpers:
status: New → Triaged
importance: Undecided → High
Changed in charm-keystone:
status: New → Triaged
importance: Undecided → High
milestone: none → 18.05
David Ames (thedac) on 2018-06-11
Changed in charm-keystone:
milestone: 18.05 → 18.08
James Page (james-page) on 2018-09-12
Changed in charm-keystone:
milestone: 18.08 → 18.11
David Ames (thedac) on 2018-11-20
Changed in charm-keystone:
milestone: 18.11 → 19.04
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers