Recommend using SAN instead of SSL CommonName
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Undecided
|
Brendan Shephard |
Bug Description
Description:
Currently, our documentation suggests that operators create SSL certificates using just the CommonName to identify the intended host:
https:/
Problem:
Usage of the CommonName field alone has been considered deprecated and not best practise for some time now. Rather, the use of SAN's should be implemented to identify the intended server. For example, using a SAN to designate the host overcloud.
https:/
So multiple services will be failing and the installer will complain during the installation. The errors look like so:
❯ oc logs image-registry-
time="2020-
time="2020-
panic: Swift authentication failed: Post "https:/
This is fairly simple to solve, you just need to create a SSL cert using SANs and apply it to HAProxy. So, I propose we change our recommendation in the documentation to suggest the use of SANs to comply with best practise.
The CA cert generation can stay the same, but I propose we change the leaf certificate part to the following process:
Create server.csr.cnf:
```
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=AU
ST=Queensland
L=Brisbane
O=bne-home
OU=admin
<email address hidden>
CN=openstack.
```
Create v3.ext:
```
authorityKeyIde
basicConstraint
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1=openstack
```
Create key:
```
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
```
Create Cert:
```
openssl x509 -req -in server.csr -CA overcloud-
```
But before I send a git review, I wanted to get some feedback and thoughts on the proposal?
Changed in tripleo: | |
assignee: | nobody → Brendan Shephard (bshephar) |
Changed in tripleo: | |
status: | New → Fix Released |
Proposed change: /review. opendev. org/c/openstack /tripleo- docs/+/ 771901
https:/