Nova console and vault provides internal TLS certificate only
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Cloud Controller Charm |
Fix Released
|
High
|
James Page |
Bug Description
When nova cloud controller is used with Vault, and internal and public endpoints are different, the spice console is providing the public service endpoint name, but the SSL connections are providing the certificate for the internal service only. It is causing a security warning when the customer wants to use the console from the horizon dashboard (which is using the public api endpoints).
$ openstack catalog show compute -f json
{
"endpoints": [
{
"id": "9999f8531b4c4f
"interface": "internal",
"region_id": "R1",
"url": "https:/
"region": "R1"
},
{
"id": "99991ac800934d
"interface": "admin",
"region_id": "R1",
"url": "https:/
"region": "R1"
},
{
"id": "999944277d2f40
"interface": "public",
"region_id": "R1",
"url": "https:/
"region": "R1"
}
],
"id": "9999c921e2a14e
"name": "nova",
"type": "compute"
}
$ openstack console url show canonical-test01 -f json
{
"type": "novnc",
"url": "https:/
}
The ssl connection however provides the certificate for the internal endpoint:
$ openssl s_client -connect nova.<domain>:6082
CONNECTED(00000005)
depth=0 CN = nova-internal.
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nova-internal.
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = nova-internal.
i:CN = Vault Root Certificate Authority (charm-pki-local)
---
How could we enforce spice to return the proper certificate for the connection?
tags: |
added: field-high removed: field-medium |
Changed in charm-nova-cloud-controller: | |
status: | Fix Committed → Fix Released |
A workaround for the issue:
1. get the key and certificates from /etc/apache2/ ssl/nova/ cert_nova. <domain> and /etc/apache2/ ssl/nova/ key_nova. <domain> controller \ ssl-cert= "$(base64 cert_nova. <domain> )" \ ssl-key= "$(base64 key_nova.<domain>)"
2. use the deprecated console-ssl- options:
juju config nova-cloud-
console-
console-
This will overwrite the nova.conf entries with the specified certificate and key: nova/ssl/ nova_cert. pem nova/ssl/ nova_key. pem
[DEFAULT]
...
cert=/etc/
key=/etc/
The internal / admin / public TLS endpoints will be still terminated by apache, so this change won't affect nova service rest interfaces, only the consoleauth will pick up the setting:
nova 1913397 0.0 0.0 296568 104316 ? Ss 12:44 0:03 /usr/bin/python3 /usr/bin/ nova-consoleaut h --config- file=/etc/ nova/nova. conf --log-file= /var/log/ nova/nova- consoleauth. log