Incorrect certificate sent to the browser when os-public-hostname is configured.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When using os-public you have to use "ha" binding map to your public space otherwise haproxy won't correctly send requests to apache using os-public-hostname , e.g. horizon.example.com but instead it will use internal cluster namespace and use juju-lxd-something hostname, so even when you have a correct root CA in the browser you get Certificate mismatch as you asking for horizon.example.com but certificate name is for juju-lxd-something. The workaround is to use hacluster ha binding explicitly, however, it's not in the documentation.
Also, somehow related if you change your config to use os-public-hostname, the vault re-issue certificates action won't create your new certificate, e.g. horizon.
openstack-dashboard deployment:
openstack-
charm: cs:openstack-
num_units: 3
bindings:
"": *oam-space
shared-db: *internal-space
public: *public-space
ha: *public-space
options:
os-
api-
use-
debug: 'no'
openstack
webroot: "/"
vip: *dashboard-vip
neutron-
neutron-
neutron-
neutron-
cinder-
use-syslog: False
to:
- lxd:3
- lxd:4
- lxd:5
hacluster-
charm: cs:hacluster-76
bindings:
"": *oam-space
ha: *public-space
options:
cluster_
Changed in charm-openstack-dashboard: | |
status: | New → Confirmed |
Note: also need the 'cluster' binding to be set to public-space if you're using the hacluster charm.