|
| 1 | +// This is included in the following assemblies: |
| 2 | +// |
| 3 | +// * installing/installing_openstack/preparing-to-install-on-openstack.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="security-osp-validating-certificates-manually_{context}"] |
| 7 | += Scanning {rh-openstack} endpoints for legacy HTTPS certificates manually |
| 8 | + |
| 9 | +Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. If you do not have access to the prerequisite tools that are listed in "Scanning {rh-openstack} endpoints for legacy HTTPS certificates", perform the following steps to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field. |
| 10 | + |
| 11 | +[IMPORTANT] |
| 12 | +==== |
| 13 | +{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the following steps to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction. |
| 14 | +==== |
| 15 | + |
| 16 | +.Procedure |
| 17 | + |
| 18 | +. On a command line, run the following command to view the URL of {rh-openstack} public endpoints: |
| 19 | ++ |
| 20 | +[source,terminal] |
| 21 | +---- |
| 22 | +$ openstack catalog list |
| 23 | +---- |
| 24 | ++ |
| 25 | +Record the URL for each HTTPS endpoint that the command returns. |
| 26 | +. For each public endpoint, note the host and the port. |
| 27 | ++ |
| 28 | +[TIP] |
| 29 | +==== |
| 30 | +Determine the host of an endpoint by removing the scheme, the port, and the path. |
| 31 | +==== |
| 32 | + |
| 33 | +. For each endpoint, run the following commands to extract the SAN field of the certificate: |
| 34 | +.. Set a `host` variable: |
| 35 | ++ |
| 36 | +[source,terminal] |
| 37 | +---- |
| 38 | +$ host=<host_name> |
| 39 | +---- |
| 40 | +.. Set a `port` variable: |
| 41 | ++ |
| 42 | +[source,terminal] |
| 43 | +---- |
| 44 | +$ port=<port_number> |
| 45 | +---- |
| 46 | ++ |
| 47 | +If the URL of the endpoint does not have a port, use the value `443`. |
| 48 | +.. Retrieve the SAN field of the certificate: |
| 49 | ++ |
| 50 | +[source,terminal] |
| 51 | +---- |
| 52 | +$ openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \ |
| 53 | + | openssl x509 -noout -ext subjectAltName |
| 54 | +---- |
| 55 | ++ |
| 56 | +.Example output |
| 57 | +[source,terminal] |
| 58 | +---- |
| 59 | +X509v3 Subject Alternative Name: |
| 60 | + DNS:your.host.example.net |
| 61 | +---- |
| 62 | ++ |
| 63 | +For each endpoint, look for output that resembles the previous example. If there is no output for an endpoint, the certificate of that endpoint is invalid and must be re-issued. |
| 64 | + |
| 65 | +[IMPORTANT] |
| 66 | +==== |
| 67 | +You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates are rejected with the following message: |
| 68 | +
|
| 69 | +[source,txt] |
| 70 | +---- |
| 71 | +x509: certificate relies on legacy Common Name field, use SANs instead |
| 72 | +---- |
| 73 | +==== |
0 commit comments