Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / be00e95da5ae57c6aaa547ee01a5cab9a13862ca^! / . / lib / tls
commitbe00e95da5ae57c6aaa547ee01a5cab9a13862ca[log] [tgz]
authorRob Crittenden <rcritten@redhat.com>Thu Mar 24 18:09:22 2016 -0400
committerRob Crittenden <rcritten@redhat.com>Mon Mar 28 10:00:52 2016 -0400
treed84545169430f7e6e3a361da48ec7545e43f6ed8
parent11b111fd7a064985a3c3ca20830d09ed613094a4 [diff] [blame]
Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN

OS_CACERT was being added directly to the environment rather
than usercc_early. This caused an untrusted CA error to be
thrown.

Ensure that SERVICE_HOST is in the Subject Alt. Names of the
issued TLS server cert. The gate sets it to 127.0.0.1 which
wasn't being handled. Only the FQDN of the host and actual
IP address of the machine were being added.

Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2

diff --git a/lib/tls b/lib/tls
index f4740b8..ca57ed4 100644
--- a/lib/tls
+++ b/lib/tls

@@ -257,6 +257,14 @@
     local common_name=$3
     local alt_names=$4
 
+    if [ "$common_name" != "$SERVICE_HOST" ]; then
+        if [[ -z "$alt_names" ]]; then
+            alt_names="DNS:$SERVICE_HOST"
+        else
+            alt_names="$alt_names,DNS:$SERVICE_HOST"
+        fi
+    fi
+
     # Only generate the certificate if it doesn't exist yet on the disk
     if [ ! -r "$ca_dir/$cert_name.crt" ]; then
         # Generate a signing request