Fuel for OpenStack

sahara broken if SSL enabled

Bug #1650284 reported by Roman Sokolkov on 2016-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	Medium	Stanislaw Bogatkin	Fuel for OpenStack 11.0

Bug Description

Sahara has two flags "public_identity_ca_file" and "public_object_store_ca_file". There should be path to CA certificate that is used for OpenStack APIs.

But Fuel puts there whole PEM file with: Key, Cert and cert chain. which is wrong and breaks Sahara cluster deployment with following error

http://paste.openstack.org/show/592049/

Right solution: put only cert and chain in pem file.

Steps to reproduce:
1) Deploy MOS with Sahara and own certificate (Put Key, cert and chain)
2) Try to deploy Sahara cluster with http://docs.openstack.org/developer/sahara/devref/quickstart.html

Expected result:
Sahara cluster will be deployed

Actual result:
Sahara cluster fails with error above

Tags:

Roman Sokolkov (rsokolkov) on 2016-12-15

tags:

added: area-library

Stanislaw Bogatkin (sbogatkin) on 2016-12-15

Changed in fuel:
importance:	Undecided → Medium
assignee:	nobody → Stanislaw Bogatkin (sbogatkin)
milestone:	none → 11.0

Stanislaw Bogatkin (sbogatkin) on 2016-12-16

Changed in fuel:
importance:	Medium → High
importance:	High → Medium
status:	New → Confirmed

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2016-12-16:

>Right solution: put only cert and chain in pem file.

It looks right only when you don't know that haproxy needs both key and cert in pem file and we use haproxy everywhere, for each service in cluster. We also did this for sahara in our default installation, but this behavior was broken in https://github.com/openstack/fuel-library/commit/8966ed1bf7cc9b5f883458c33375e99ad57bfea6 and it needs to fixed.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-16: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/411758

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-16:

Fix proposed to branch: master
Review: https://review.openstack.org/411828

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-20: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/411828
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=37945bfd0bdb2b4016a7659a62b7f282dfa0c7f4
Submitter: Jenkins
Branch: master

commit 37945bfd0bdb2b4016a7659a62b7f282dfa0c7f4
Author: Stanislaw Bogatkin <email address hidden>
Date: Fri Dec 16 17:05:42 2016 +0300

Remove private key from cert chain in /etc

As we use /etc as a TLS certchain store so we should remove
private key from it as it doesn't needed there.

Change-Id: I3041e8de1519395cc6018845285ed1b949225a52
Closes-Bug: #1650284

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-20: Change abandoned on fuel-library (master)

Change abandoned by Stanislaw Bogatkin (<email address hidden>) on branch: master
Review: https://review.openstack.org/411758
Reason: In favor of I3041e8de1519395cc6018845285ed1b949225a52

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-27: Fix included in openstack/fuel-library 11.0.0.0rc1

This issue was fixed in the openstack/fuel-library 11.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.