Public bug reported:
We tried enabling the SSL cert and SSL key options in all the Openstack charms.
However, when using multiple networks and multiple VIPs the SSL options
generate a certificate per IP address from the management network.
So, you end up with the following files:
$ find /etc/apache2/ssl/
/etc/apache2/ssl/
/etc/apache2/ssl/keystone
/etc/apache2/ssl/keystone/cert_10.5.0.114
/etc/apache2/ssl/keystone/key_10.5.0.205
/etc/apache2/ssl/keystone/key_10.5.0.114
/etc/apache2/ssl/keystone/cert_10.5.0.205
Where 10.5.0.0/24 is the management network and 10.5.0.114 is the DHCP IP and
10.5.0.205 is the VIP on the same network.
But there is also a public IP on 31.28.88.0/24 and a Public VIP on 31.28.88.12
which have no SSL cert created, but the configuration includes it, so apache2
refuses to restart with the error:
AH00526: Syntax error on line 14 of
/etc/apache2/sites-enabled/openstack_https_frontend.conf:
SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_31.28.88.12' does not
exist or is empty
Action 'configtest' failed.
Line 14 is: SSLCertificateFile
/etc/apache2/ssl/keystone/cert_31.28.88.12
Therefore enabling SSL on any of the Openstack Charms with multiple NICs
with a VIP for HA is currently broken.
** Affects: keystone (Juju Charms Collection)
Importance: Undecided
Status: New
** Also affects: horizon
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undecided
Status: New
** No longer affects: cinder
** Also affects: nova
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undecided
Status: New
** No longer affects: horizon
** No longer affects: cinder
** No longer affects: nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1522932
Title:
SSL cert and key options do not work with multiple VIPs
Status in keystone package in Juju Charms Collection:
New
Bug description:
We tried enabling the SSL cert and SSL key options in all the Openstack
charms.
However, when using multiple networks and multiple VIPs the SSL options
generate a certificate per IP address from the management network.
So, you end up with the following files:
$ find /etc/apache2/ssl/
/etc/apache2/ssl/
/etc/apache2/ssl/keystone
/etc/apache2/ssl/keystone/cert_10.5.0.114
/etc/apache2/ssl/keystone/key_10.5.0.205
/etc/apache2/ssl/keystone/key_10.5.0.114
/etc/apache2/ssl/keystone/cert_10.5.0.205
Where 10.5.0.0/24 is the management network and 10.5.0.114 is the DHCP IP and
10.5.0.205 is the VIP on the same network.
But there is also a public IP on 31.28.88.0/24 and a Public VIP on
31.28.88.12 which have no SSL cert created, but the configuration includes it,
so apache2 refuses to restart with the error:
AH00526: Syntax error on line 14 of
/etc/apache2/sites-enabled/openstack_https_frontend.conf:
SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_31.28.88.12' does
not exist or is empty
Action 'configtest' failed.
Line 14 is: SSLCertificateFile
/etc/apache2/ssl/keystone/cert_31.28.88.12
Therefore enabling SSL on any of the Openstack Charms with multiple
NICs with a VIP for HA is currently broken.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charms/+source/keystone/+bug/1522932/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
