Signed SSL Certs registered for One Year, Should Be TEN Years

Bug #1468909 reported by Bruce Basil Mathews
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack

Bug Description

There are 2 kinds of certificates issued with Fuel:

a. Those, which are used to encrypt HTTP traffic. They are generated during deployment on each controller node, hence they are unique across all nodes in ALL clouds. <- These are issued for ONE YEAR from the DATE of DEPLOYMENT... Should be TEN Years from that date.

 b. Certificates used by MySQL/RabbitMQ. These are not unique. To tighten up security, the regeneration procedure should be repeated in each cloud, without distributing generated certificates to other clouds. This way these certificates will be unique per-cloud. <- These are issued for ONE YEAR from the DATE of the ISO creation... Should be TEN Years from that date.

Please make this change as soon as possible!

Revision history for this message
Dmitry Borodaenko (angdraug) wrote :

Actually Fuel doesn't yet set up SSL neither for HTTP enpoints nor for MySQL/RabbitMQ, blueprints to do that are still pending:

From the perspective of current state of Fuel, this bug is invalid since it's about a feature that doesn't yet exist. However, I will attach it to the relevant blueprint so that the concern you've raised isn't missed in the future:

Changed in fuel:
status: New → Invalid
Revision history for this message
Bruce Basil Mathews (bmathews-l) wrote :

Then in the BLUEPRINT, please make sure that Fuel deploys it with TEN YEAR Certificates... We should also note when we install SSL for customers to generate a 10 year cert... In this case, we built Wells Fargo a "custom ISO" with one year certs embedded...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers