certmonger postsave command for haproxy doesn't actually upadate the bundled PEM

Bug #1712514 reported by Juan Antonio Osorio Robles on 2017-08-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

HAProxy requires a PEM file for TLS that has the certificate and the key, unlike other applications which use sepparate files. While the aforementioned certificate and key are bundled together in one file by puppet, the bundled file is not recreated when certmonger does a resubmit or a renewal of the certificate. This will cause certmonger to reload haproxy, but harpoxy will still serve the old bundle.

Fix proposed to branch: master
Review: https://review.openstack.org/496572

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress
Changed in tripleo:
importance: Undecided → High
milestone: none → pike-rc1
Changed in tripleo:
milestone: pike-rc1 → pike-rc2

Reviewed: https://review.openstack.org/496572
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e1791a37d557b14bb8f833363cabe5c98e151548
Submitter: Jenkins
Branch: master

commit e1791a37d557b14bb8f833363cabe5c98e151548
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Aug 23 12:20:20 2017 +0300

    HAProxy: Make certmonger bundle the cert and key on renewal

    the postsave command is ran by certmonger when a certificate is
    requested (which will happen on certificate renewal). The previous
    command given didn't take into account the file that haproxy expects,
    which is a bundled PEM file with both the certificate and the key. Thus,
    certmonger would have never generated a new bundle that haproxy would
    use, resulting in haproxy always having an old bundle after certificate
    expiration.

    This fixes that.

    Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
    Closes-Bug: #1712514

Changed in tripleo:
status: In Progress → Fix Released

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/498308
Reason: I need to purge the gate because TripleO CI gate has critical issues right now, I'll make this patch goes to the gate.

Reviewed: https://review.openstack.org/498308
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=eae8fb5186369e53da3d9003cb0161c518f1188a
Submitter: Jenkins
Branch: stable/pike

commit eae8fb5186369e53da3d9003cb0161c518f1188a
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Aug 23 12:20:20 2017 +0300

    HAProxy: Make certmonger bundle the cert and key on renewal

    the postsave command is ran by certmonger when a certificate is
    requested (which will happen on certificate renewal). The previous
    command given didn't take into account the file that haproxy expects,
    which is a bundled PEM file with both the certificate and the key. Thus,
    certmonger would have never generated a new bundle that haproxy would
    use, resulting in haproxy always having an old bundle after certificate
    expiration.

    This fixes that.

    Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
    Closes-Bug: #1712514
    (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)

tags: added: in-stable-pike

This issue was fixed in the openstack/puppet-tripleo 7.4.0 release.

This issue was fixed in the openstack/puppet-tripleo 8.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers