yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #42791
[Bug 1522932] [NEW] SSL cert and key options do not work with multiple VIPs
Public bug reported:
We tried enabling the SSL cert and SSL key options in all the Openstack charms.
However, when using multiple networks and multiple VIPs the SSL options generate a certificate per IP address from the management network.
So, you end up with the following files:
$ find /etc/apache2/ssl/
/etc/apache2/ssl/
/etc/apache2/ssl/keystone
/etc/apache2/ssl/keystone/cert_10.5.0.114
/etc/apache2/ssl/keystone/key_10.5.0.205
/etc/apache2/ssl/keystone/key_10.5.0.114
/etc/apache2/ssl/keystone/cert_10.5.0.205
Where 10.5.0.0/24 is the management network and 10.5.0.114 is the DHCP IP and 10.5.0.205 is the VIP on the same network.
But there is also a public IP on 31.28.88.0/24 and a Public VIP on 31.28.88.12 which have no SSL cert created, but the configuration includes it, so apache2 refuses to restart with the error:
AH00526: Syntax error on line 14 of /etc/apache2/sites-enabled/openstack_https_frontend.conf:
SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_31.28.88.12' does not exist or is empty
Action 'configtest' failed.
Line 14 is: SSLCertificateFile
/etc/apache2/ssl/keystone/cert_31.28.88.12
Therefore enabling SSL on any of the Openstack Charms with multiple NICs
with a VIP for HA is currently broken.
** Affects: keystone (Juju Charms Collection)
Importance: Undecided
Status: New
** Also affects: horizon
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undecided
Status: New
** No longer affects: cinder
** Also affects: nova
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undecided
Status: New
** No longer affects: horizon
** No longer affects: cinder
** No longer affects: nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1522932
Title:
SSL cert and key options do not work with multiple VIPs
Status in keystone package in Juju Charms Collection:
New
Bug description:
We tried enabling the SSL cert and SSL key options in all the Openstack charms.
However, when using multiple networks and multiple VIPs the SSL options generate a certificate per IP address from the management network.
So, you end up with the following files:
$ find /etc/apache2/ssl/
/etc/apache2/ssl/
/etc/apache2/ssl/keystone
/etc/apache2/ssl/keystone/cert_10.5.0.114
/etc/apache2/ssl/keystone/key_10.5.0.205
/etc/apache2/ssl/keystone/key_10.5.0.114
/etc/apache2/ssl/keystone/cert_10.5.0.205
Where 10.5.0.0/24 is the management network and 10.5.0.114 is the DHCP IP and 10.5.0.205 is the VIP on the same network.
But there is also a public IP on 31.28.88.0/24 and a Public VIP on 31.28.88.12 which have no SSL cert created, but the configuration includes it, so apache2 refuses to restart with the error:
AH00526: Syntax error on line 14 of /etc/apache2/sites-enabled/openstack_https_frontend.conf:
SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_31.28.88.12' does not exist or is empty
Action 'configtest' failed.
Line 14 is: SSLCertificateFile
/etc/apache2/ssl/keystone/cert_31.28.88.12
Therefore enabling SSL on any of the Openstack Charms with multiple
NICs with a VIP for HA is currently broken.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charms/+source/keystone/+bug/1522932/+subscriptions
