Skip to content

Commit 0299a3d

Browse files
mmalchukmarkgoddard
mmalchuk
authored and
markgoddard
committed
Fix usage of Subject Alternative Name for TLS
All TLS certificates are incorrectly generated in the 'certificates' role. The generated certificates don't contain both the 'X509v3 extensions' and 'X509v3 Subject Alternative Name' blocks at all. This change fixes the 'openssl x509' commands used to generate all the certificates to include the 'Subject Alternative Name'. Also, this change fixes both internal and external templates to constantly use alternative names as described in the RFCs [1] [2]. We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or 'kolla_external_fqdn' is set. 1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2 Closes-Bug: #1935978 Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9 Signed-off-by: Maksim Malchuk <[email protected]> (cherry picked from commit 6409d62)
1 parent fe70a46 commit 0299a3d

File tree

4 files changed

+8
-6
lines changed

4 files changed

+8
-6
lines changed

ansible/roles/certificates/tasks/generate-backend.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@
3939
-CA "{{ root_dir }}/root.crt"
4040
-CAkey "{{ root_dir }}/root.key"
4141
-CAcreateserial
42+
-extensions v3_req
43+
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
4244
-out "{{ backend_dir }}/backend.crt"
4345
-days 500
4446
-sha256

ansible/roles/certificates/tasks/generate.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,8 @@
4646
-CA "{{ root_dir }}/root.crt"
4747
-CAkey "{{ root_dir }}/root.key"
4848
-CAcreateserial
49+
-extensions v3_req
50+
-extfile "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
4951
-out "{{ external_dir }}/external.crt"
5052
-days 365
5153
-sha256
@@ -114,6 +116,8 @@
114116
-CA "{{ root_dir }}/root.crt"
115117
-CAkey "{{ root_dir }}/root.key"
116118
-CAcreateserial
119+
-extensions v3_req
120+
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
117121
-out "{{ internal_dir }}/internal.crt"
118122
-days 365
119123
-sha256

ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,12 @@ countryName = US
88
stateOrProvinceName = NC
99
localityName = RTP
1010
organizationalUnitName = kolla
11-
commonName = {{ kolla_internal_fqdn }}
1211

1312
[v3_req]
1413
subjectAltName = @alt_names
1514

1615
[alt_names]
1716
{% if kolla_internal_fqdn != kolla_internal_vip_address %}
1817
DNS.1 = {{ kolla_internal_fqdn }}
19-
{% else %}
20-
IP.1 = {{ kolla_internal_fqdn }}
2118
{% endif %}
19+
IP.1 = {{ kolla_internal_vip_address }}

ansible/roles/certificates/templates/openssl-kolla.cnf.j2

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,12 @@ countryName = US
88
stateOrProvinceName = NC
99
localityName = RTP
1010
organizationalUnitName = kolla
11-
commonName = {{ kolla_external_fqdn }}
1211

1312
[v3_req]
1413
subjectAltName = @alt_names
1514

1615
[alt_names]
1716
{% if kolla_external_fqdn != kolla_external_vip_address %}
1817
DNS.1 = {{ kolla_external_fqdn }}
19-
{% else %}
20-
IP.1 = {{ kolla_external_fqdn }}
2118
{% endif %}
19+
IP.1 = {{ kolla_external_vip_address }}

0 commit comments

Comments
 (0)