Signed SSL Certs registered for One Year, Should Be TEN Years
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Invalid
|
Undecided
|
Unassigned |
Bug Description
There are 2 kinds of certificates issued with Fuel:
a. Those, which are used to encrypt HTTP traffic. They are generated during deployment on each controller node, hence they are unique across all nodes in ALL clouds. <- These are issued for ONE YEAR from the DATE of DEPLOYMENT... Should be TEN Years from that date.
b. Certificates used by MySQL/RabbitMQ. These are not unique. To tighten up security, the regeneration procedure should be repeated in each cloud, without distributing generated certificates to other clouds. This way these certificates will be unique per-cloud. <- These are issued for ONE YEAR from the DATE of the ISO creation... Should be TEN Years from that date.
Please make this change as soon as possible!
Actually Fuel doesn't yet set up SSL neither for HTTP enpoints nor for MySQL/RabbitMQ, blueprints to do that are still pending: /blueprints. launchpad. net/fuel/ ?searchtext= ssl
https:/
From the perspective of current state of Fuel, this bug is invalid since it's about a feature that doesn't yet exist. However, I will attach it to the relevant blueprint so that the concern you've raised isn't missed in the future: /blueprints. launchpad. net/fuel/ +spec/manage- ssl-certificate
https:/