Enable SSL for nova, heat and cinder natively or with TLS proxy

Bug #1328226 reported by Rob Crittenden on 2014-06-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Rob Crittenden

Bug Description

Native SSL support can be enabled for Keystone and a few services have basic support for a TLS Proxy (stud).

There is more and more interest in running an OpenStack installation entirely secured with SSL. This is difficult to set up and prone to error. Having this working in devstack will provide a model, prevent regressions, find bugs, etc.

Fix proposed to branch: master
Review: https://review.openstack.org/98854

Changed in devstack:
assignee: nobody → Rob Crittenden (rcritten)
status: New → In Progress
Rob Crittenden (rcritten) wrote :

During the lifetime of this bug, python-glanceclient switched to python-requests. There are two related bugs from this:

https://bugs.launchpad.net/python-glanceclient/+bug/1347150 - python-glanceclient switch to requests breaks HTTPS

https://bugs.launchpad.net/python-glanceclient/+bug/1362179 - Default to requests cert bundle instead of nothing

Reviewed: https://review.openstack.org/98854
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=18d4778cf7bffa60eb2e996a13c129c64f83575f
Submitter: Jenkins
Branch: master

commit 18d4778cf7bffa60eb2e996a13c129c64f83575f
Author: Rob Crittenden <email address hidden>
Date: Wed Mar 19 17:47:42 2014 -0400

    Configure endpoints to use SSL natively or via proxy

    Configure nova, cinder, glance, swift and neutron to use SSL
    on the endpoints using either SSL natively or via a TLS proxy
    using stud.

    To enable SSL via proxy, in local.conf add


    This will create a new test root CA, a subordinate CA and an SSL
    server cert. It uses the value of hostname -f for the certificate
    subject. The CA certicates are also added to the system CA bundle.

    To enable SSL natively, in local.conf add:


    Native SSL by default will also use the devstack-generate root and
    subordinate CA.

    You can override this on a per-service basis by setting


    You should also set SERVICE_HOST to the FQDN of the host. This
    value defaults to the host IP address.

    Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
    Closes-Bug: 1328226

Changed in devstack:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers