Certmonger post-save command does not work with renewals

Bug #1811401 reported by Juan Antonio Osorio Robles on 2019-01-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Critical
Juan Antonio Osorio Robles

Bug Description

with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED.

This is an issue for all certificates requested by certmonger, and it was due to having wrong assumptions about how the post-save command works with certmonger (it doesn't spawn a subshell).

So, this is an issue for the overcloud as well, with TLS everywhere.

Changed in tripleo:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
milestone: none → stein-2
milestone: stein-2 → stein-3
summary: - Certmonger post-save command does not work automatically after CA cert
- renewal
+ Certmonger post-save command does not work with renewals
description: updated
Changed in tripleo:
status: Confirmed → In Progress

Related fix proposed to branch: master
Review: https://review.openstack.org/633216

Related fix proposed to branch: master
Review: https://review.openstack.org/633531

Reviewed: https://review.openstack.org/623353
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=648dfa2bdc0b4f4c076404b3f665d78329780632
Submitter: Zuul
Branch: master

commit 648dfa2bdc0b4f4c076404b3f665d78329780632
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500

    Reload haproxy when certificate is renewed

    This adds an explicit post-save command that was introduced in the
    patch this depends on.

    Preferably this patch should merge at the same time as the one this
    depends on.

    Related-Bug: #1811401
    Co-Authored-By: Grzegorz Grasza <email address hidden>
    Depends-On: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
    Change-Id: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08

Reviewed: https://review.openstack.org/633171
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f1f4a6ccb88e3fc3c2509e0f5c6ba1ae61efe617
Submitter: Zuul
Branch: master

commit f1f4a6ccb88e3fc3c2509e0f5c6ba1ae61efe617
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200

    httpd: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
    Change-Id: I642f48aa0e66ca57de2ecee921c798747ba41e1a

Reviewed: https://review.openstack.org/633216
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=801391a13eec513f7e0f5dba09b1214e4db8abf4
Submitter: Zuul
Branch: master

commit 801391a13eec513f7e0f5dba09b1214e4db8abf4
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100

    rabbitmq: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
    Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a

Reviewed: https://review.openstack.org/633170
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=514f99c575151489bdfef0cde01a0ebd57e5e131
Submitter: Zuul
Branch: master

commit 514f99c575151489bdfef0cde01a0ebd57e5e131
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200

    TLS everywhere: Set post-save command for httpd

    The default command wasn't working, so here we set one that will
    actually work.

    httpd is a fairly simple instance, since the certs are mounted from the
    directory (and not the individual certs). So there is no need to copy
    anything to the container or do any post-processing. All we need to do
    is tell httpd to load the new certs.

    Related-Bug: #1811401
    Depends-On: I642f48aa0e66ca57de2ecee921c798747ba41e1a
    Change-Id: I862f0d15f769167c8b5d27cf302b7087b8fad0ab

Reviewed: https://review.openstack.org/633217
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=03c54b80676bdd3c2092823e620253259e77c796
Submitter: Zuul
Branch: master

commit 03c54b80676bdd3c2092823e620253259e77c796
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100

    TLS everywhere: Set post-save command for RabbitMQ

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
    Change-Id: I3e564f9a5abdbf11d0580c4ff801092f32bcc678

Reviewed: https://review.openstack.org/633238
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=4deea3a46babe9faabaec5b90e7425b4fe93915c
Submitter: Zuul
Branch: master

commit 4deea3a46babe9faabaec5b90e7425b4fe93915c
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100

    redis: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
    Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32

Reviewed: https://review.openstack.org/633239
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f7fb7675411262b47c9c69c580d18aa743ceb7e9
Submitter: Zuul
Branch: master

commit f7fb7675411262b47c9c69c580d18aa743ceb7e9
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100

    TLS everywhere: Set post-save command for redis

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
    Change-Id: I49811a6cab5416d965ce1da93a71728ad5b1d27c

Reviewed: https://review.openstack.org/634221
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=8fa561f8f028a73f704062fbeca3cdaaf1b7027e
Submitter: Zuul
Branch: master

commit 8fa561f8f028a73f704062fbeca3cdaaf1b7027e
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Jan 31 14:38:25 2019 +0200

    Remove default post-save command from mysql

    That was not being used. The new certificate will be picked up when
    mysql is restarted (which would happen on an upgrade).

    Change-Id: If4ca3e9f0c248ae6df6c57edc9a2adf841d2e425
    Related-Bug: #1811401

Reviewed: https://review.openstack.org/634371
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4cfa7c066fbb60303fd5287c38eb59ffa2a298ae
Submitter: Zuul
Branch: master

commit 4cfa7c066fbb60303fd5287c38eb59ffa2a298ae
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200

    certmonger: Don't restart haproxy on cert renewal

    This is not needed for the external cert. Reloading is enough.

    Change-Id: I3b9f0650cfa1024ef0d03741cd41b64ac0c258c3
    Related-Bug: #1811401

Reviewed: https://review.openstack.org/633245
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e6306badac719a7d89411df37f688cffd2fdb106
Submitter: Zuul
Branch: master

commit e6306badac719a7d89411df37f688cffd2fdb106
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100

    novnc-proxy: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
    Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f

Reviewed: https://review.openstack.org/634443
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7cc4a3da6f6f458918a6b8ca4b6bce25197e2974
Submitter: Zuul
Branch: master

commit 7cc4a3da6f6f458918a6b8ca4b6bce25197e2974
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100

    neutron dhcpd: Add script for certmonger postsave_cmd

    The default update procedure didn't work, so are fixing that.

    Related-Bug: #1811401
    Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
    Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60

Reviewed: https://review.openstack.org/633246
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a76a0a1270499efd457c9f6421d90374a92de150
Submitter: Zuul
Branch: master

commit a76a0a1270499efd457c9f6421d90374a92de150
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100

    TLS everywhere: Set post-save command for nova-vnc-proxy

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: Ifacbee9e31d84be1008ab7545defac71cf65793f
    Change-Id: Idc0844c8726aa53bc4cbd55f902248f854d2464f

Reviewed: https://review.openstack.org/634444
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ce1e7eafe6e02f985ed2a72023637453aaa13c10
Submitter: Zuul
Branch: master

commit ce1e7eafe6e02f985ed2a72023637453aaa13c10
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100

    TLS everywhere: Set post-save command for neutron dhcpd

    The default procedure wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: I9954cf33efedf2ec3dfb03109595cd4431feff60
    Change-Id: I449df13ea2c49a8cf6d2e8e632b2b39707071c52

Reviewed: https://review.openstack.org/633531
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fff1df6ee07a49090e7269d3d2bc1f998d846044
Submitter: Zuul
Branch: master

commit fff1df6ee07a49090e7269d3d2bc1f998d846044
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100

    TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt

    We need to mount the whole directory inside the libvirt container,
    so that when new certificates are generated, they could be accessed from
    within the container.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Change-Id: I3f1e7511d56f9a974409a9a1e3ed66ba8fa72e36

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636874

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636875

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636876

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636877

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636878

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636879

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636882

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636883

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636884

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/636885

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636901

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636902

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636903

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636904

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636908

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636909

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636910

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636911

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636912

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/636913

Reviewed: https://review.openstack.org/636900
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=21b6a8bc3d4455cee38dbd2f0ff87897cd733139
Submitter: Zuul
Branch: stable/queens

commit 21b6a8bc3d4455cee38dbd2f0ff87897cd733139
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200

    httpd: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
    Change-Id: I642f48aa0e66ca57de2ecee921c798747ba41e1a
    (cherry picked from commit f1f4a6ccb88e3fc3c2509e0f5c6ba1ae61efe617)

tags: added: in-stable-queens

Reviewed: https://review.openstack.org/636901
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7c315b86575f379ea7948c8527eced5f67dadab4
Submitter: Zuul
Branch: stable/queens

commit 7c315b86575f379ea7948c8527eced5f67dadab4
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100

    rabbitmq: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
    Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
    (cherry picked from commit 801391a13eec513f7e0f5dba09b1214e4db8abf4)

Reviewed: https://review.openstack.org/636881
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f7c71486cf601a7f9cc1a3b06968165236c7fc0e
Submitter: Zuul
Branch: stable/rocky

commit f7c71486cf601a7f9cc1a3b06968165236c7fc0e
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:13:24 2019 +0200

    httpd: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
    Change-Id: I642f48aa0e66ca57de2ecee921c798747ba41e1a
    (cherry picked from commit f1f4a6ccb88e3fc3c2509e0f5c6ba1ae61efe617)

tags: added: in-stable-rocky

Reviewed: https://review.openstack.org/636882
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=219c0f483c5924ff82ec6491e56e4ec7dcaaf1fb
Submitter: Zuul
Branch: stable/rocky

commit 219c0f483c5924ff82ec6491e56e4ec7dcaaf1fb
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 14:54:00 2019 +0100

    rabbitmq: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
    Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
    (cherry picked from commit 801391a13eec513f7e0f5dba09b1214e4db8abf4)

Reviewed: https://review.openstack.org/636883
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=763467d7ac5f47e8a0e68586621bdc18dc171453
Submitter: Zuul
Branch: stable/rocky

commit 763467d7ac5f47e8a0e68586621bdc18dc171453
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100

    redis: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
    Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
    (cherry picked from commit 4deea3a46babe9faabaec5b90e7425b4fe93915c)

Reviewed: https://review.openstack.org/636884
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=381a1e0a2b5fb3e4d2ba70e9d8542858a8d6bf30
Submitter: Zuul
Branch: stable/rocky

commit 381a1e0a2b5fb3e4d2ba70e9d8542858a8d6bf30
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100

    novnc-proxy: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
    Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
    (cherry picked from commit e6306badac719a7d89411df37f688cffd2fdb106)

Reviewed: https://review.openstack.org/636885
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f6ff6ca960f5e0faa5379f492298bad315baf8c1
Submitter: Zuul
Branch: stable/rocky

commit f6ff6ca960f5e0faa5379f492298bad315baf8c1
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100

    neutron dhcpd: Add script for certmonger postsave_cmd

    The default update procedure didn't work, so are fixing that.

    Related-Bug: #1811401
    Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
    Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60
    (cherry picked from commit 7cc4a3da6f6f458918a6b8ca4b6bce25197e2974)

Reviewed: https://review.openstack.org/636902
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=b225459fd93364787f188fd97e70ed96acce689d
Submitter: Zuul
Branch: stable/queens

commit b225459fd93364787f188fd97e70ed96acce689d
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:26:31 2019 +0100

    redis: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
    Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
    (cherry picked from commit 4deea3a46babe9faabaec5b90e7425b4fe93915c)

Reviewed: https://review.openstack.org/636903
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7b3095d64c4f9526ca167def76d1a87cfcc6eae4
Submitter: Zuul
Branch: stable/queens

commit 7b3095d64c4f9526ca167def76d1a87cfcc6eae4
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:16:01 2019 +0100

    novnc-proxy: Remove default post-save command for certmonger

    The default command didn't work, so we need to fix that.

    Related-Bug: #1811401
    Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
    Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
    (cherry picked from commit e6306badac719a7d89411df37f688cffd2fdb106)

Reviewed: https://review.openstack.org/636904
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=67079ac516dd91b5153d49c79464fee487f5b0af
Submitter: Zuul
Branch: stable/queens

commit 67079ac516dd91b5153d49c79464fee487f5b0af
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:00:01 2019 +0100

    neutron dhcpd: Add script for certmonger postsave_cmd

    The default update procedure didn't work, so are fixing that.

    Related-Bug: #1811401
    Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
    Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60
    (cherry picked from commit 7cc4a3da6f6f458918a6b8ca4b6bce25197e2974)

Reviewed: https://review.openstack.org/636907
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=c9dbc7d6bda8a35891286dd8a1c43f214c4126c7
Submitter: Zuul
Branch: stable/queens

commit c9dbc7d6bda8a35891286dd8a1c43f214c4126c7
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500

    Reload haproxy when certificate is renewed

    This adds an explicit post-save command that was introduced in the
    patch this depends on.

    Preferably this patch should merge at the same time as the one this
    depends on.

    Related-Bug: #1811401
    Co-Authored-By: Grzegorz Grasza <email address hidden>
    Depends-On: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
    Change-Id: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
    (cherry picked from commit 648dfa2bdc0b4f4c076404b3f665d78329780632)

Reviewed: https://review.openstack.org/636908
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7620f63f8ad073559181b33bc5833116d6bd72e4
Submitter: Zuul
Branch: stable/queens

commit 7620f63f8ad073559181b33bc5833116d6bd72e4
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200

    TLS everywhere: Set post-save command for httpd

    The default command wasn't working, so here we set one that will
    actually work.

    httpd is a fairly simple instance, since the certs are mounted from the
    directory (and not the individual certs). So there is no need to copy
    anything to the container or do any post-processing. All we need to do
    is tell httpd to load the new certs.

    Related-Bug: #1811401
    Depends-On: I642f48aa0e66ca57de2ecee921c798747ba41e1a
    Change-Id: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
    (cherry picked from commit 514f99c575151489bdfef0cde01a0ebd57e5e131)

Reviewed: https://review.openstack.org/636909
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=853b228357276761dd2d9939e5ca18301f7d1119
Submitter: Zuul
Branch: stable/queens

commit 853b228357276761dd2d9939e5ca18301f7d1119
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100

    TLS everywhere: Set post-save command for RabbitMQ

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
    Change-Id: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
    (cherry picked from commit 03c54b80676bdd3c2092823e620253259e77c796)

Reviewed: https://review.openstack.org/636910
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=018b6711a71eb51c66dfaf0ba2bd8d122609bb03
Submitter: Zuul
Branch: stable/queens

commit 018b6711a71eb51c66dfaf0ba2bd8d122609bb03
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100

    TLS everywhere: Set post-save command for redis

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
    Change-Id: I49811a6cab5416d965ce1da93a71728ad5b1d27c
    (cherry picked from commit f7fb7675411262b47c9c69c580d18aa743ceb7e9)

Reviewed: https://review.openstack.org/636911
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f0e5aa5e006b88c2114fe4ccba45e93f59e508dd
Submitter: Zuul
Branch: stable/queens

commit f0e5aa5e006b88c2114fe4ccba45e93f59e508dd
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100

    TLS everywhere: Set post-save command for nova-vnc-proxy

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: Ifacbee9e31d84be1008ab7545defac71cf65793f
    Change-Id: Idc0844c8726aa53bc4cbd55f902248f854d2464f
    (cherry picked from commit a76a0a1270499efd457c9f6421d90374a92de150)

Reviewed: https://review.openstack.org/636912
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ea5fe24f2c9511e312ea4c713df7d4ac412cda01
Submitter: Zuul
Branch: stable/queens

commit ea5fe24f2c9511e312ea4c713df7d4ac412cda01
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100

    TLS everywhere: Set post-save command for neutron dhcpd

    The default procedure wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: I9954cf33efedf2ec3dfb03109595cd4431feff60
    Change-Id: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
    (cherry picked from commit ce1e7eafe6e02f985ed2a72023637453aaa13c10)

Reviewed: https://review.openstack.org/636913
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8d4e0a737ad0035ec8b04b27ea08641fb7ad403d
Submitter: Zuul
Branch: stable/queens

commit 8d4e0a737ad0035ec8b04b27ea08641fb7ad403d
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100

    TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt

    We need to mount the whole directory inside the libvirt container,
    so that when new certificates are generated, they could be accessed from
    within the container.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Change-Id: I3f1e7511d56f9a974409a9a1e3ed66ba8fa72e36
    (cherry picked from commit fff1df6ee07a49090e7269d3d2bc1f998d846044)

Reviewed: https://review.openstack.org/636873
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=64e564aaf190e0f4597357e50dc7fcc28c601508
Submitter: Zuul
Branch: stable/rocky

commit 64e564aaf190e0f4597357e50dc7fcc28c601508
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Dec 6 18:47:18 2018 -0500

    Reload haproxy when certificate is renewed

    This adds an explicit post-save command that was introduced in the
    patch this depends on.

    Preferably this patch should merge at the same time as the one this
    depends on.

    Related-Bug: #1811401
    Co-Authored-By: Grzegorz Grasza <email address hidden>
    Depends-On: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
    Change-Id: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
    (cherry picked from commit 648dfa2bdc0b4f4c076404b3f665d78329780632)

Reviewed: https://review.openstack.org/636874
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=6be616a38c5e6e32882d667017cdeedb0d306683
Submitter: Zuul
Branch: stable/rocky

commit 6be616a38c5e6e32882d667017cdeedb0d306683
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Jan 25 11:18:15 2019 +0200

    TLS everywhere: Set post-save command for httpd

    The default command wasn't working, so here we set one that will
    actually work.

    httpd is a fairly simple instance, since the certs are mounted from the
    directory (and not the individual certs). So there is no need to copy
    anything to the container or do any post-processing. All we need to do
    is tell httpd to load the new certs.

    Related-Bug: #1811401
    Depends-On: I642f48aa0e66ca57de2ecee921c798747ba41e1a
    Change-Id: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
    (cherry picked from commit 514f99c575151489bdfef0cde01a0ebd57e5e131)

Reviewed: https://review.openstack.org/636875
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a1430fbf601551620ee6cab1e449c7b7e866942a
Submitter: Zuul
Branch: stable/rocky

commit a1430fbf601551620ee6cab1e449c7b7e866942a
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 15:32:58 2019 +0100

    TLS everywhere: Set post-save command for RabbitMQ

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting RabbitMQ, it triggers a pem cache reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
    Change-Id: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
    (cherry picked from commit 03c54b80676bdd3c2092823e620253259e77c796)

Reviewed: https://review.openstack.org/636876
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8d06db25a180c27b69869a8ece8e445ffb43d989
Submitter: Zuul
Branch: stable/rocky

commit 8d06db25a180c27b69869a8ece8e445ffb43d989
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 17:25:00 2019 +0100

    TLS everywhere: Set post-save command for redis

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place
    and instead of restarting stunnel, triggers a configuration reload.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Depends-On: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
    Change-Id: I49811a6cab5416d965ce1da93a71728ad5b1d27c
    (cherry picked from commit f7fb7675411262b47c9c69c580d18aa743ceb7e9)

Reviewed: https://review.openstack.org/636877
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5a2e205c11ccb1d944d9f365a6c1abb053864f28
Submitter: Zuul
Branch: stable/rocky

commit 5a2e205c11ccb1d944d9f365a6c1abb053864f28
Author: Grzegorz Grasza <email address hidden>
Date: Fri Jan 25 18:14:43 2019 +0100

    TLS everywhere: Set post-save command for nova-vnc-proxy

    The default command wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: Ifacbee9e31d84be1008ab7545defac71cf65793f
    Change-Id: Idc0844c8726aa53bc4cbd55f902248f854d2464f
    (cherry picked from commit a76a0a1270499efd457c9f6421d90374a92de150)

Reviewed: https://review.openstack.org/636878
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d07af320a4d66586b93f623ec5e6bcb64c889b09
Submitter: Zuul
Branch: stable/rocky

commit d07af320a4d66586b93f623ec5e6bcb64c889b09
Author: Grzegorz Grasza <email address hidden>
Date: Fri Feb 1 17:05:36 2019 +0100

    TLS everywhere: Set post-save command for neutron dhcpd

    The default procedure wasn't working, here we set one that will actually work.

    The script additionally copies the certificates in the right place.

    Related-Bug: #1811401
    Depends-On: I9954cf33efedf2ec3dfb03109595cd4431feff60
    Change-Id: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
    (cherry picked from commit ce1e7eafe6e02f985ed2a72023637453aaa13c10)

Reviewed: https://review.openstack.org/636879
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3bd4a2a8bf84aab65059f21b1d4e7395a0d0ccb4
Submitter: Zuul
Branch: stable/rocky

commit 3bd4a2a8bf84aab65059f21b1d4e7395a0d0ccb4
Author: Grzegorz Grasza <email address hidden>
Date: Mon Jan 28 16:31:26 2019 +0100

    TLS everywhere: Mount the whole /etc/pki/libvirt/ directory in libvirt

    We need to mount the whole directory inside the libvirt container,
    so that when new certificates are generated, they could be accessed from
    within the container.

    Related-Bug: #1811401
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Change-Id: I3f1e7511d56f9a974409a9a1e3ed66ba8fa72e36
    (cherry picked from commit fff1df6ee07a49090e7269d3d2bc1f998d846044)

Reviewed: https://review.openstack.org/638607
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f10d3c3d547153f3a6d6f469ff3c896a77729044
Submitter: Zuul
Branch: stable/queens

commit f10d3c3d547153f3a6d6f469ff3c896a77729044
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200

    certmonger: Don't restart haproxy on cert renewal

    This is not needed for the external cert. Reloading is enough.

    Change-Id: I3b9f0650cfa1024ef0d03741cd41b64ac0c258c3
    Related-Bug: #1811401
    (cherry picked from commit 4cfa7c066fbb60303fd5287c38eb59ffa2a298ae)

Reviewed: https://review.openstack.org/638604
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=82a648fcccef72f00b1ff273bac27904dcd4c2df
Submitter: Zuul
Branch: stable/rocky

commit 82a648fcccef72f00b1ff273bac27904dcd4c2df
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Fri Feb 1 08:41:32 2019 +0200

    certmonger: Don't restart haproxy on cert renewal

    This is not needed for the external cert. Reloading is enough.

    Change-Id: I3b9f0650cfa1024ef0d03741cd41b64ac0c258c3
    Related-Bug: #1811401
    (cherry picked from commit 4cfa7c066fbb60303fd5287c38eb59ffa2a298ae)

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers