tripleo

certmonger postsave command for haproxy doesn't actually upadate the bundled PEM

Bug #1712514 reported by Juan Antonio Osorio Robles on 2017-08-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Juan Antonio Osorio Robles	tripleo pike-rc2

Bug Description

HAProxy requires a PEM file for TLS that has the certificate and the key, unlike other applications which use sepparate files. While the aforementioned certificate and key are bundled together in one file by puppet, the bundled file is not recreated when certmonger does a resubmit or a renewal of the certificate. This will cause certmonger to reload haproxy, but harpoxy will still serve the old bundle.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-23: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/496572

Changed in tripleo:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	New → In Progress

Juan Antonio Osorio Robles (juan-osorio-robles) on 2017-08-23

Changed in tripleo:
importance:	Undecided → High
milestone:	none → pike-rc1

Emilien Macchi (emilienm) on 2017-08-25

Changed in tripleo:
milestone:	pike-rc1 → pike-rc2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-26: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/496572
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e1791a37d557b14bb8f833363cabe5c98e151548
Submitter: Jenkins
Branch: master

commit e1791a37d557b14bb8f833363cabe5c98e151548
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Aug 23 12:20:20 2017 +0300

HAProxy: Make certmonger bundle the cert and key on renewal

    the postsave command is ran by certmonger when a certificate is
    requested (which will happen on certificate renewal). The previous
    command given didn't take into account the file that haproxy expects,
    which is a bundled PEM file with both the certificate and the key. Thus,
    certmonger would have never generated a new bundle that haproxy would
    use, resulting in haproxy always having an old bundle after certificate
    expiration.

This fixes that.

Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #1712514

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-28: Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/498308

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-29: Change abandoned on puppet-tripleo (stable/pike)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/498308
Reason: I need to purge the gate because TripleO CI gate has critical issues right now, I'll make this patch goes to the gate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-31: Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/498308
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=eae8fb5186369e53da3d9003cb0161c518f1188a
Submitter: Jenkins
Branch: stable/pike

commit eae8fb5186369e53da3d9003cb0161c518f1188a
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Aug 23 12:20:20 2017 +0300

HAProxy: Make certmonger bundle the cert and key on renewal

This fixes that.

    Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
    Closes-Bug: #1712514
    (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)