OpenStack Keystone Charm

os-*-hostname + https-service-endpoints are not compatible (mismatch between apache config and cert/key filenames)

Bug #1703451 reported by Ben on 2017-07-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone Charm	Won't Fix	High	Unassigned	OpenStack Keystone Charm 18.08

Bug Description

I see other SSL bugs but none are exactly what I am experiencing. I am using JUJU 2.2.1 and keystone 267.

When you enable SSL (https-service-endpoints=true) keystone will configure itself correctly and switch the endpoint type to https. When you deploy another service like glance the certificates will be copied to the new service but the files in /etc/apache2/ssl/glance will have the name cert_glanceadmin.domain.com and key_glanceadmin.domain.com. If you look in the apache config /etc/apache2/site-available/openstack_https_frontend.conf the bindings are listed as the IP per interface instead of the correct name of the file. All services are named and do not use IP addresses.

clip from openstack_https_frontend.conf
    SSLCertificateFile /etc/apache2/ssl/glance/cert_10.1.2.178
    SSLCertificateChainFile /etc/apache2/ssl/glance/cert_10.1.2.178
    SSLCertificateKeyFile /etc/apache2/ssl/glance/key_10.1.2.178
    SSLCertificateFile /etc/apache2/ssl/glance/cert_10.11.0.28
    SSLCertificateChainFile /etc/apache2/ssl/glance/cert_10.11.0.28
    SSLCertificateKeyFile /etc/apache2/ssl/glance/key_10.11.0.28

files in the ssl directory

root@juju-b9757f-0-lxd-11:/etc/apache2/ssl/glance# ll
total 32
dr-xr-xr-x 2 root root 4096 Jul 10 19:21 ./
dr-xr-xr-x 3 root root 4096 Jul 10 19:20 ../
-r--r--r-- 1 root root 1147 Jul 10 20:00 cert_glanceadmin.domain.com
-r--r--r-- 1 root root 1139 Jul 10 20:00 cert_glancepublic.domain.com
-r--r--r-- 1 root root 1151 Jul 10 20:00 cert_glanceinternal.domain.com
-r--r--r-- 1 root root 1708 Jul 10 20:00 key_glanceadmin.domain.com
-r--r--r-- 1 root root 1704 Jul 10 20:00 key_glancepublic.domain.com
-r--r--r-- 1 root root 1704 Jul 10 20:00 key_glanceinternal.domain.com

I can manually alter the name of the file or the apache config and it will work but it does not survive a reboot. Maybe I am doing something wrong or this is a duplicate bug but I would like to help track it down, just let me know what I can do. I only use glance as an example. It impacts all other services as well like NCC, Cinder etc.

Related branches

lp://qastaging/~james-page/charm-helpers/bug-1703451

Merged into lp://qastaging/charm-helpers at revision 776

Alex Kavanagh: Approve on 2017-08-03

Revision history for this message

James Page (james-page) wrote on 2017-08-03:

Hi Ben

I think I see what the issue is in the codebase but I need to know whether you're using the os-*-hostname configuration options on the glance charm - looking at the SSL certs and keys I think you are, and I also assume you're deployed in a HA configuration using VIP?

Marking 'Incomplete' pending your response.

Changed in charm-keystone:
status:	New → Incomplete
importance:	Undecided → Medium

Revision history for this message

James Page (james-page) wrote on 2017-08-03:

bug-triage-1-2017-08-03.yaml Edit (1.6 KiB, text/plain)

Test bundle which reproduces os-*-hostname usage + VIP + https-service-endpoints.

Changed in charm-keystone:
status:	Incomplete → Triaged
importance:	Medium → High

Revision history for this message

James Page (james-page) wrote on 2017-08-03:

Further information

Write of keystone generated certs to /etc/apache2/ssl/glance uses the name that's registered into the service catalog (which is driven from os-*-hostname in the test deployment):

http://bazaar.launchpad.net/~charm-helpers/charm-helpers/devel/view/head:/charmhelpers/contrib/openstack/context.py#L704

However, the get_network_addresses method does not consider os-*-hostname configuration options and is used to build out the dataset used to configure Apache SSL:

http://bazaar.launchpad.net/~charm-helpers/charm-helpers/devel/view/head:/charmhelpers/contrib/openstack/context.py#L738

Revision history for this message

James Page (james-page) wrote on 2017-08-03:

Test bundle is a HA configuration, but I think this will also be the same in non-HA deployments - setting bug title to that effect.

summary:	- SSL cert when using https-service-endpoints=true is deployed to other - services by endpoint name but apache2 config still has IP + os-*-hostname + https-service-endpoints are not compatible (mismatch + between apache config and cert/key filenames)
Changed in charm-keystone:
milestone:	none → 17.08

Revision history for this message

Ben (bjenkins-x) wrote on 2017-08-03:

Yes, I am using the os-hostname option on all of the charms and this is indeed HA. Thank you so much for picking this up.

James Page (james-page) on 2017-09-12

Changed in charm-keystone:
milestone:	17.08 → 17.11

James Page (james-page) on 2017-12-01

Changed in charm-keystone:
milestone:	17.11 → 18.02

Ryan Beisner (1chb1n) on 2018-03-09

Changed in charm-keystone:
milestone:	18.02 → 18.05

David Ames (thedac) on 2018-06-11

Changed in charm-keystone:
milestone:	18.05 → 18.08

Revision history for this message

Frode Nordahl (fnordahl) wrote on 2018-08-18:

https://review.openstack.org/#/c/560915/

Changed in charm-keystone:
status:	Triaged → Fix Committed

Revision history for this message

Frode Nordahl (fnordahl) wrote on 2018-08-21:

The use of `use-https` and `https-service-endpoints` configuration options has been removed as of 18.08 release of the charms [0]. Please refer to the `ssl_cert`, `ssl_key` and `ssl_ca` configuration options instead.

0: https://review.openstack.org/#/c/560915/

Changed in charm-keystone:
status:	Fix Committed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

bug-triage-1-2017-08-03.yaml Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.