Bug #1704746 “custom SSL certificate for Contrail WebUI " : Series r4.1 : Bugs : Juniper Openstack

Slobodan Blatnjak (sblatnjak) on 2017-07-17

tags:

added: orange

Jeba Paulaiyan (jebap) on 2017-07-17

tags:	added: ui
Changed in juniperopenstack:
assignee:	nobody → Anish Mehta (amehta00)

Jeba Paulaiyan (jebap) on 2017-07-19

Changed in juniperopenstack:
importance:	Undecided → Medium

Anish Mehta (amehta00) on 2017-08-29

Changed in juniperopenstack:
assignee:	Anish Mehta (amehta00) → Biswajit Mandal (bmandal)

Revision history for this message

Slobodan Blatnjak (sblatnjak) wrote on 2017-09-06:

#1

Download full text (4.5 KiB)

Some more info on this...
-----------------------------------------------------
Orange reported issue "Impossible to access Contrail WebUI through HAProxy":
"I am currently facing a problem with a deployment RedHat OSP 10 + Contrail 3.2.3 : I am not able to connect to Contrail WebUI using Overcloud VIP on External Network.
When trying to access the WebUI, the webbrowser tries to load the page but nothing happens.
Note that if I try to access the WebUI using Contrail VIP (on Contrail network), it works well. It seems that there is a misconfiguration in haproxy, leading to this issue.

Here is the configuration deployed in haproxy:
listen contrail_webui_https
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 192.168.19.2:8143 transparent
balance source
hash-type consistent
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
server 192.168.19.10 192.168.19.10:8143 check fall 5 inter 2000 rise 2
server 192.168.19.11 192.168.19.11:8143 check fall 5 inter 2000 rise 2

172.20.71.115 is the VIP on External network, when I try to access it, it doesn't work.
192.168.19.2 is the VIP on Contrail Network, when I try to access it : it works."
-----------------------------------------------------

Below is the communication with Orange broken into the 3 points:

1. Manual procedure

Changing:
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
To:
bind 172.20.71.115:8143 transparent
Resolves the problem of access to webui. However, this certificate is not used anymore for contrail webui. Instead of this Orange certificate, you get Contrail's default self-signed certificate when accessing the webui. (Btw, as you have found it already, this is because of:
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
.. in haproxy settings and config.server_options.key_file, config.server_options.cert_file in /etc/contrail/config.global.js webui settings which is probably set to look at default certificate.)

This is not acceptable since you can't change this default certificate for now (For this we have ER-075586 - Custom SSL certificate for Contrail WebUI).

You have a solution that could be more acceptable. Instead of removing the "ssl crt ..." instruction on the "bind" line, you added "ssl verify none" on "server" lines, giving that solution :
listen contrail_webui_https
bind 192.168.213.12:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 192.168.215.12:8143 transparent
balance source
hash-type consistent
server 192.168.215.18 192.168.215.18:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.19 192.168.215.19:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.20 192.168.215.20:8143 check fall 5 inter 2000 rise 2 ssl verify none

This manual solution worked well and is acceptable to you. User now gets Orange overcloud signed certificate.
You want this to be implemented in point 2 (Managed by RH Director) and you are concerned with point 3 in your design (HAProxy "balance source").

2. Managed by RH Director

You want HAProxy's configuration to be managed by RH Director / Contrail deployme...

Some more info on this... 
-----------------------------------------------------
Orange reported issue "Impossible to access Contrail WebUI through HAProxy":
"I am currently facing a problem with a deployment RedHat OSP 10 + Contrail 3.2.3 : I am not able to connect to Contrail WebUI using Overcloud VIP on External Network.
When trying to access the WebUI, the webbrowser tries to load the page but nothing happens.
Note that if I try to access the WebUI using Contrail VIP (on Contrail network), it works well. It seems that there is a misconfiguration in haproxy, leading to this issue.

Here is the configuration deployed in haproxy:
listen contrail_webui_https
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 192.168.19.2:8143 transparent
balance source
hash-type consistent
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
server 192.168.19.10 192.168.19.10:8143 check fall 5 inter 2000 rise 2
server 192.168.19.11 192.168.19.11:8143 check fall 5 inter 2000 rise 2

172.20.71.115 is the VIP on External network, when I try to access it, it doesn't work.
192.168.19.2 is the VIP on Contrail Network, when I try to access it : it works."
-----------------------------------------------------
 
Below is the communication with Orange broken into the 3 points:

1. Manual procedure

Changing:
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
To:
bind 172.20.71.115:8143 transparent
Resolves the problem of access to webui. However, this certificate is not used anymore for contrail webui. Instead of this Orange certificate, you get Contrail's default self-signed certificate when accessing the webui. (Btw, as you have found it already, this is because of:
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
.. in haproxy settings and config.server_options.key_file, config.server_options.cert_file in /etc/contrail/config.global.js webui settings which is probably set to look at default certificate.)

This is not acceptable since you can't change this default certificate for now (For this we have ER-075586 - Custom SSL certificate for Contrail WebUI).

You have a solution that could be more acceptable. Instead of removing the "ssl crt ..." instruction on the "bind" line, you added "ssl verify none" on "server" lines, giving that solution :
listen contrail_webui_https
bind 192.168.213.12:8143 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 192.168.215.12:8143 transparent
balance source
hash-type consistent
server 192.168.215.18 192.168.215.18:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.19 192.168.215.19:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.20 192.168.215.20:8143 check fall 5 inter 2000 rise 2 ssl verify none

This manual solution worked well and is acceptable to you. User now gets Orange overcloud signed certificate.
You want this to be implemented in point 2 (Managed by RH Director) and you are concerned with point 3 in your design (HAProxy "balance source").

2. Managed by RH Director

You want HAProxy's configuration to be managed by RH Director / Contrail deployment scripts only. Contrail's deployment (through Director) must deploy this configuration. How to achieve this through Contrail templates?
* Juniper Contrail Engineering will look at it while working on mentioned ER-075586.

3. HAProxy balance algorithm

There is a "balance source" instruction in the configuration. You are using a reverse proxy in front of openstack/contrail platform, making all requests coming from a unique source (the reverse proxy). You are concerned if this configuration will prevent requests from being properly load-balanced between Contrail webui nodes?
* "balance roundrobin" could be used in this case (https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-balance)
But let me create a follow up case for this point to confirm with engineering. If balance source doesn't work in your design, we would need to make sure that this parameter is also changed in https://github.com/Juniper/contrail-tripleo-puppet/blob/stable/newton/manifests/haproxy.pp#L732.

Can you please confirm mine understanding that the manual procedure works for you, and you want this to be managed by RHOSPd (point 2) with concerns from point 3 related to your design?
-----------------------------------------------------

You understood our concerns very well : I confirm you that the manual procedure works for us, and that we want the HA Proxy configuration to be managed by Director during the deployment with Contrail templates.

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-02: [Review update] master

#2

Review in progress for https://review.opencontrail.org/36172
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-02:

#3

Review in progress for https://review.opencontrail.org/36173
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-16: [Review update] R3.2

#4

Review in progress for https://review.opencontrail.org/36568
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-16:

#5

Review in progress for https://review.opencontrail.org/36572
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-18: [Review update] R4.1

#6

Review in progress for https://review.opencontrail.org/36647
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-18:

#7

Review in progress for https://review.opencontrail.org/36648
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

Kamil Swiatkowski (kswia) wrote on 2017-10-19:

#8

The solution presented above does not resolves the problem. It need to be resolved in haproxy configuration for RHOSP 10, in contrail-tripleo-puppet

http://github.com/Juniper/contrail-tripleo-puppet

Revision history for this message

Biswajit Mandal (bmandal) wrote on 2017-10-19:

#9

The above change is as per issue 2 as mentioned below.
Issue 1 should be handled in contrail-tripleo-puppet repo as you mentioned.

---------------------------------------------------------------------------
From: Marco Passalacqua
Sent: Saturday, July 22, 2017 12:11 AM
To: DP Ayyadevara <email address hidden>; Biswajit Mandal <email address hidden>
Cc: Rene Triana <email address hidden>; Michael Henkel <email address hidden>; Pratik Roychowdhury <email address hidden>; Marc Rapoport <email address hidden>; Richard Roberts <email address hidden>; Nicolas Marcoux <email address hidden>; Slobodan Blatnjak <email address hidden>; Naga Kiran K Y S <email address hidden>
Subject: Re: Small enhancement for certificate on Contrail-tripleo

Hi DP,
Let me try to re-phrase my previous answer.

There’s 2 issues:
1. We need to be able to configure the WebUI with custom certificates during the Contrail TripleO Provisioning. For instance, Orange has its own self-generated certs and they need to configure them in the WebUI during provisioning. This basically means an extension of our current contrail-tripleo-heat-templates to introduce new properties able to handle those information (certs contents).

2. Generate self-signed certs during the WebUI RPM installation (this should be what Biswajit is referring to). Currently the RPM already contains certs files (I guess generated during the build) that of course is not exactly “secure”. So, we need to implement, at the RPM level (%post?), the creation of those self-signed certs. Of course, those self-signed certs generated during the RPM installation will be replaced by TripleO in case a user decides to user his own certs (see 1).

Hope it is clear now, but please do not hesitate in case you have any additional query.
Thanks.

Ciao,

Marco Passalacqua (mpassalacqua) on 2017-10-23

information type:

Proprietary → Public

Revision history for this message

Nicolas Marcoux (nmarcoux) wrote on 2017-10-31:

#10

@bmandal: you mentioned that you did a change for item 2 "Generate self-signed certs during the WebUI RPM installation" => did you merge the fix in 3.2?

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-08: [Review update] R3.2

#11

Review in progress for https://review.opencontrail.org/36568
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11: A change has been merged

#14

Reviewed: https://review.opencontrail.org/36572
Committed: http://github.com/Juniper/contrail-web-core/commit/747a99ab68d059834843afb58e90e510555031ce
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 747a99ab68d059834843afb58e90e510555031ce
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 16:27:31 2017 -0700

Changing the SSL cert path to created one while installation in stead of the
ones which are default part of repo.

Related-Bug: #1704746

Change-Id: Id2d27fe6ec9c4a4e2841cfb430e8c95d6c6686e1
(cherry picked from commit d24fe98831a48eba8883bb8e2fb99d0c4f844150)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11:

#15

Reviewed: https://review.opencontrail.org/36568
Committed: http://github.com/Juniper/contrail-packaging/commit/bd34383e8f04a67d40a2e765596324d955d05e3d
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit bd34383e8f04a67d40a2e765596324d955d05e3d
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 15:55:16 2017 -0700

Custom SSL certificate for Contrail WebUI

Adding ssl creation step (in /etc/contrail/webui_ssl) while installing contrail-web-core package in stead of
making it part of contrail-provisioning.

Change-Id: I03c612f4baf3c95231de2feb031ec321e219b0e3
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-16: [Review update] R4.1

#16

Review in progress for https://review.opencontrail.org/36647
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-17: A change has been merged

#17

Reviewed: https://review.opencontrail.org/36647
Committed: http://github.com/Juniper/contrail-packaging/commit/bedac2b5a26f19d0303eea66dfbc5ea613cb4e7b
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit bedac2b5a26f19d0303eea66dfbc5ea613cb4e7b
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 15:55:16 2017 -0700

Custom SSL certificate for Contrail WebUI

Adding ssl creation step (in /etc/contrail/webui_ssl) while installing contrail-web-core package in stead of
making it part of contrail-provisioning.

Change-Id: I03c612f4baf3c95231de2feb031ec321e219b0e3
Related-Bug: #1704746
(cherry picked from commit bd34383e8f04a67d40a2e765596324d955d05e3d)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-17:

#18

Reviewed: https://review.opencontrail.org/36648
Committed: http://github.com/Juniper/contrail-web-core/commit/1e616db342f85bffc0c02b0b328a489477f14626
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 1e616db342f85bffc0c02b0b328a489477f14626
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 16:27:31 2017 -0700

Changing the SSL cert path to created one while installation in stead of the
ones which are default part of repo.

Related-Bug: #1704746

Change-Id: Id2d27fe6ec9c4a4e2841cfb430e8c95d6c6686e1

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] R4.0

#19

Review in progress for https://review.opencontrail.org/37801
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22:

#20

Review in progress for https://review.opencontrail.org/37802
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: A change has been merged

#21

Reviewed: https://review.opencontrail.org/36172
Committed: http://github.com/Juniper/contrail-packaging/commit/e07e65f25d9fd4304042dd6cb2fdcaecbbdf4ad9
Submitter: Zuul (<email address hidden>)
Branch: master

commit e07e65f25d9fd4304042dd6cb2fdcaecbbdf4ad9
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 15:55:16 2017 -0700

Custom SSL certificate for Contrail WebUI

Adding ssl creation step (in /etc/contrail/webui_ssl) while installing contrail-web-core package in stead of
making it part of contrail-provisioning.

Change-Id: I03c612f4baf3c95231de2feb031ec321e219b0e3
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] master

#22

Review in progress for https://review.opencontrail.org/37804
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] R4.1

#23

Review in progress for https://review.opencontrail.org/37805
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] R4.0

#24

Review in progress for https://review.opencontrail.org/37806
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] R3.2

#25

Review in progress for https://review.opencontrail.org/37807
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-26: A change has been merged

#26

Reviewed: https://review.opencontrail.org/37805
Committed: http://github.com/Juniper/contrail-web-core/commit/334397eb5bc343c8c99c5d674f2aedca1ae40d3d
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 334397eb5bc343c8c99c5d674f2aedca1ae40d3d
Author: Biswajit Mandal <email address hidden>
Date: Wed Nov 22 14:24:10 2017 -0800

Remove cert/keys from contrail-web-core repo

Removed the keys/cert from repo
For Dev, we need this cert and keys, so adding a make target(make gen-keys) to run script to
generate. This needs to be run for dev-envt only.

Change-Id: I38f03a6c6e166e4b08c8cce2d38e98e47c9b3789
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-27:

#27

Reviewed: https://review.opencontrail.org/36173
Committed: http://github.com/Juniper/contrail-web-core/commit/d24fe98831a48eba8883bb8e2fb99d0c4f844150
Submitter: Zuul (<email address hidden>)
Branch: master

commit d24fe98831a48eba8883bb8e2fb99d0c4f844150
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 16:27:31 2017 -0700

Changing the SSL cert path to created one while installation in stead of the
ones which are default part of repo.

Related-Bug: #1704746

Change-Id: Id2d27fe6ec9c4a4e2841cfb430e8c95d6c6686e1

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-29: [Review update] master

#28

Review in progress for https://review.opencontrail.org/37804
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-29: [Review update] R4.0

#29

Review in progress for https://review.opencontrail.org/37806
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-29: [Review update] R3.2

#30

Review in progress for https://review.opencontrail.org/37807
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-10: A change has been merged

#31

Reviewed: https://review.opencontrail.org/37807
Committed: http://github.com/Juniper/contrail-web-core/commit/3be6ff4a2f7d6f78c8716b14977a337ac7e129d8
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 3be6ff4a2f7d6f78c8716b14977a337ac7e129d8
Author: Biswajit Mandal <email address hidden>
Date: Wed Nov 22 14:24:10 2017 -0800

Remove cert/keys from contrail-web-core repo

Removed the keys/cert from repo
For Dev, we need this cert and keys, so adding a make target(make gen-keys) to run script to
generate. This needs to be run for dev-envt only.

Change-Id: I38f03a6c6e166e4b08c8cce2d38e98e47c9b3789
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-12:

#32

Reviewed: https://review.opencontrail.org/37806
Committed: http://github.com/Juniper/contrail-web-core/commit/427bc8f638554fa3ca6685b4763b0a8e97474837
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 427bc8f638554fa3ca6685b4763b0a8e97474837
Author: Biswajit Mandal <email address hidden>
Date: Wed Nov 22 14:24:10 2017 -0800

Remove cert/keys from contrail-web-core repo

Removed the keys/cert from repo
For Dev, we need this cert and keys, so adding a make target(make gen-keys) to run script to
generate. This needs to be run for dev-envt only.

Change-Id: I38f03a6c6e166e4b08c8cce2d38e98e47c9b3789
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-12:

#33

Reviewed: https://review.opencontrail.org/37804
Committed: http://github.com/Juniper/contrail-web-core/commit/f35f1525a7112f4521302687192111ffebc81f8e
Submitter: Zuul (<email address hidden>)
Branch: master

commit f35f1525a7112f4521302687192111ffebc81f8e
Author: Biswajit Mandal <email address hidden>
Date: Wed Nov 22 14:24:10 2017 -0800

Remove cert/keys from contrail-web-core repo

Removed the keys/cert from repo
For Dev, we need this cert and keys, so adding a make target(make gen-keys) to run script to
generate. This needs to be run for dev-envt only.

Change-Id: I38f03a6c6e166e4b08c8cce2d38e98e47c9b3789
Related-Bug: #1704746

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-26:

#34

Reviewed: https://review.opencontrail.org/37801
Committed: http://github.com/Juniper/contrail-packaging/commit/5fab2542f4eff93d266cf408e1b53e0cb3c8364d
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 5fab2542f4eff93d266cf408e1b53e0cb3c8364d
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 15:55:16 2017 -0700

Custom SSL certificate for Contrail WebUI

Adding ssl creation step (in /etc/contrail/webui_ssl) while installing contrail-web-core package in stead of
making it part of contrail-provisioning.

Change-Id: I03c612f4baf3c95231de2feb031ec321e219b0e3
Related-Bug: #1704746
(cherry picked from commit bd34383e8f04a67d40a2e765596324d955d05e3d)
(cherry picked from commit bedac2b5a26f19d0303eea66dfbc5ea613cb4e7b)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-27:

#35

Reviewed: https://review.opencontrail.org/37802
Committed: http://github.com/Juniper/contrail-web-core/commit/dac2683df19e4151a069304f245200f1d59874f2
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit dac2683df19e4151a069304f245200f1d59874f2
Author: Biswajit Mandal <email address hidden>
Date: Mon Oct 2 16:27:31 2017 -0700

Changing the SSL cert path to created one while installation in stead of the
ones which are default part of repo.

Related-Bug: #1704746

Change-Id: Id2d27fe6ec9c4a4e2841cfb430e8c95d6c6686e1
(cherry picked from commit 1e616db342f85bffc0c02b0b328a489477f14626)

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.2	Fix Committed	Medium	Biswajit Mandal	Juniper Openstack r3.2.8.0
R4.0	Fix Committed	Medium	Biswajit Mandal	Juniper Openstack r4.0.3.0
R4.1	Fix Committed	Medium	Biswajit Mandal	Juniper Openstack r4.1.1.0
Trunk	Fix Committed	Medium	Biswajit Mandal	Juniper Openstack r5.0.0

Juniper Openstack

custom SSL certificate for Contrail WebUI

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches