tripleo

overcloud haproxy lacks client certificate

Bug #1989667 reported by Cristian Le
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
In Progress
Undecided
Unassigned

Bug Description

This affects the connection to horizon backend since the configuration wiht tls-e requires client certificate verification, i.e.:
```
  SSLVerifyClient none
```
However, the haproxy configuration does not seem to be using client certificates:
```
backend horizon_be
  mode http
  cookie SERVERID insert indirect nocache
  option httpchk
  server controller-0.internalapi.openstack.lab 192.168.2.81:443 ca-file /etc/pki/CA/certs/ca2.crt check cookie controller-0.internalapi.openstack.lab fall 5 inter 2000 rise 2 ssl verify required verifyhost controller-0.internalapi.openstack.lab
```
Notice the lack of `crt /path/to/client/certificate` according to [1].

But is client certificate authentication really necessary for this configuration?

[1] https://www.haproxy.com/documentation/hapee/latest/security/authentication/client-certificate-authentication/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/860910

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/860910
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.