Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN
OS_CACERT was being added directly to the environment rather
than usercc_early. This caused an untrusted CA error to be
thrown.
Ensure that SERVICE_HOST is in the Subject Alt. Names of the
issued TLS server cert. The gate sets it to 127.0.0.1 which
wasn't being handled. Only the FQDN of the host and actual
IP address of the machine were being added.
Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2
diff --git a/lib/tls b/lib/tls
index f4740b8..ca57ed4 100644
--- a/lib/tls
+++ b/lib/tls
@@ -257,6 +257,14 @@
local common_name=$3
local alt_names=$4
+ if [ "$common_name" != "$SERVICE_HOST" ]; then
+ if [[ -z "$alt_names" ]]; then
+ alt_names="DNS:$SERVICE_HOST"
+ else
+ alt_names="$alt_names,DNS:$SERVICE_HOST"
+ fi
+ fi
+
# Only generate the certificate if it doesn't exist yet on the disk
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
# Generate a signing request
diff --git a/stack.sh b/stack.sh
index 5c16f04..b91c106 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1004,10 +1004,6 @@
bootstrap_keystone
fi
- if is_service_enabled tls-proxy; then
- export OS_CACERT=$INT_CA_DIR/ca-chain.pem
- fi
-
# Rather than just export these, we write them out to a
# intermediate userrc file that can also be used to debug if
# something goes wrong between here and running
@@ -1028,6 +1024,10 @@
EOF
+ if is_service_enabled tls-proxy; then
+ echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+ fi
+
source $TOP_DIR/userrc_early
create_keystone_accounts