Fuel for OpenStack

Missing supplemental IP's in 'Subject Alt Name' property

Bug #1517893 reported by Adam Heczko on 2015-11-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Confirmed	Low	Stanislaw Bogatkin	Fuel for OpenStack 10.0

Bug Description

Observed on: Fuel 8.0 build 172

Problem description:
When Fuel is installed with multiple (2) network interfaces, only first IP (usually 10.20.0.x) appears in 'Subject Alt Name' property of TLS certificate.

Expected behavior:
All fuel's IP addresses (Fuel menu supports up to 2) should be specified in 'Subject Alt Name' property of Fuel's self signed TLS certificate.

Resolution proposal:
Improve procedure of self signed certificate generation to list both IPs if configured in SubjAltName.

See original description

Tags:

Adam Heczko (aheczko-mirantis) on 2015-11-19

description:	updated
Changed in fuel:
importance:	Undecided → Low
milestone:	none → 8.0
assignee:	nobody → Fuel Library Team (fuel-library)

Ilya Kutukov (ikutukov) on 2015-11-19

Changed in fuel:
status:	New → Confirmed
tags:	added: area-library

Stanislaw Bogatkin (sbogatkin) on 2015-12-14

tags:	added: team-bugfix
Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)

Dmitry Pyzhov (dpyzhov) on 2015-12-29

Changed in fuel:
milestone:	8.0 → 9.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-05: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/276727

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-09: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/276727
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=7f61fea530b5cba68f84b65806ce0616618e6602
Submitter: Jenkins
Branch: master

commit 7f61fea530b5cba68f84b65806ce0616618e6602
Author: Stanislaw Bogatkin <email address hidden>
Date: Fri Feb 5 16:26:09 2016 +0300

Use all available ipaddresses as SAN for master nginx

    As master node nginx must be acceccible from any network it has
    and nginx listen on every interface, all IP addresses from them
    must be used in TLS certificate for proper connection.

Change-Id: Ib7121af26fffbe011a616b3ffdabb45dc273c3ce
Closes-Bug: #1517893

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-10: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/278765

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-16: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/278765
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=1d5ee6dcd6fa60d0e22c192335a4ddc331929629
Submitter: Jenkins
Branch: master

commit 1d5ee6dcd6fa60d0e22c192335a4ddc331929629
Author: Vladimir Kozhukalov <email address hidden>
Date: Thu Feb 11 01:13:04 2016 +0300

Use all available ipaddresses as SAN for master nginx

    As master node nginx must be acceccible from any network it has
    and nginx listen on every interface, all IP addresses from them
    must be used in TLS certificate for proper connection.

    Backport of Ib7121af26fffbe011a616b3ffdabb45dc273c3ce
    Closes-Bug: #1517893
    Change-Id: Ia2e93ab33a8c41958a38e04a41e29c8dbb552435

Revision history for this message

Alexandr Kostrikov (akostrikov-mirantis) wrote on 2016-06-21:

I have executed puppet manifests with commands:
puppet apply /etc/puppet/mitaka-9.0/modules/fuel/manifests/nginx/services.pp --verbose --debug
puppet apply /etc/puppet/mitaka-9.0/modules/fuel/manifests/nginx.pp --verbose --debug

and network config:
[root@nailgun ~]# ip -o a
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever
2: enp0s3 inet 10.109.5.2/24 brd 10.109.5.255 scope global enp0s3\ valid_lft forever preferred_lft forever
2: enp0s3 inet6 fe80::660d:4bff:fec2:b75/64 scope link \ valid_lft forever preferred_lft forever
3: enp0s4 inet 10.109.12.2/24 brd 10.109.12.255 scope global enp0s4\ valid_lft forever preferred_lft forever
3: enp0s4 inet6 fe80::6661:d2ff:fe03:1a1a/64 scope link \ valid_lft forever preferred_lft forever
4: enp0s5 inet 10.109.15.2/24 brd 10.109.15.255 scope global enp0s5\ valid_lft forever preferred_lft forever
4: enp0s5 inet6 fe80::6629:39ff:fe8e:8ec/64 scope link \ valid_lft forever preferred_lft forever
5: docker0 inet 172.17.0.1/16 scope global docker0\ valid_lft forever preferred_lft forever
[root@nailgun ~]#

The result is such:

[root@nailgun ~]# cat /var/lib/fuel/keys/master/nginx/nginx.cnf
# file managed by puppet
#
# SSLeay example configuration file.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
req_extensions = req_ext

[ req_ext ]
subjectAltName = "DNS: 10.109.5.2"

Is it bug or it should be called another way?

and network config:
[root@nailgun ~]# ip -o a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
1: lo    inet6 ::1/128 scope host \       valid_lft forever preferred_lft forever
2: enp0s3    inet 10.109.5.2/24 brd 10.109.5.255 scope global enp0s3\       valid_lft forever preferred_lft forever
2: enp0s3    inet6 fe80::660d:4bff:fec2:b75/64 scope link \       valid_lft forever preferred_lft forever
3: enp0s4    inet 10.109.12.2/24 brd 10.109.12.255 scope global enp0s4\       valid_lft forever preferred_lft forever
3: enp0s4    inet6 fe80::6661:d2ff:fe03:1a1a/64 scope link \       valid_lft forever preferred_lft forever
4: enp0s5    inet 10.109.15.2/24 brd 10.109.15.255 scope global enp0s5\       valid_lft forever preferred_lft forever
4: enp0s5    inet6 fe80::6629:39ff:fe8e:8ec/64 scope link \       valid_lft forever preferred_lft forever
5: docker0    inet 172.17.0.1/16 scope global docker0\       valid_lft forever preferred_lft forever
[root@nailgun ~]#

The result is such:

[root@nailgun ~]# cat /var/lib/fuel/keys/master/nginx/nginx.cnf 
# file managed by puppet
#
# SSLeay example configuration file.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 2048
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no
req_extensions          = req_ext

[ req_distinguished_name ]
countryName                     = US
stateOrProvinceName             = California
organizationName                = Fuel
organizationalUnitName          = Fuel Deployment Team
commonName                      = fuel.master.local
emailAddress                    = root@fuel.master.local

[ req_ext ]
subjectAltName = "DNS: 10.109.5.2"

Is it bug or it should be called another way?

Changed in fuel:
status:	Fix Committed → Confirmed
milestone:	9.0 → 10.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.