openstack/kolla-ansible
Code Issues Proposed changes
e1ec02eddf
kolla-ansible/ansible/roles/certificates/tasks/generate.yml
Maksim Malchuk 6409d62650 Fix usage of Subject Alternative Name for TLS 
All TLS certificates are incorrectly generated in the 'certificates'
role. The generated certificates don't contain both the 'X509v3
extensions' and 'X509v3 Subject Alternative Name' blocks at all.

This change fixes the 'openssl x509' commands used to generate all the
certificates to include the 'Subject Alternative Name'.

Also, this change fixes both internal and external templates to
constantly use alternative names as described in the RFCs [1] [2].
We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or
'kolla_external_fqdn' is set.

1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2

Closes-Bug: #1935978
Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
2021-08-24 15:33:22 +03:00

142 lines
4.0 KiB
YAML
Raw Blame History

---
- name: Ensuring private internal directory exist
file:
path: "{{ internal_dir }}"
state: "directory"
mode: "0770"
- name: Ensuring private external directory exist
file:
path: "{{ external_dir }}"
state: "directory"
mode: "0770"
- block:
- name: Creating external SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating external Server Certificate key
command: >
openssl genrsa
-out "{{ external_dir }}/external.key" 2048
args:
creates: "{{ external_dir }}/external.key"
- name: Creating external Server Certificate signing request
command: >
openssl req
-new
-key "{{ external_dir }}/external.key"
-out "{{ external_dir }}/external.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-sha256
args:
creates: "{{ external_dir }}/external.csr"
- name: Creating external Server Certificate
command: >
openssl x509
-req
-in "{{ external_dir }}/external.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-out "{{ external_dir }}/external.crt"
-days 365
-sha256
args:
creates: "{{ external_dir }}/external.crt"
- name: Setting permissions on external key
file:
path: "{{ external_dir }}/external.key"
mode: "0660"
state: file
- name: Creating external Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ external_dir }}"
dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_external | bool
- block:
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
when:
- kolla_enable_tls_external | bool
- kolla_enable_tls_internal | bool
- kolla_same_external_internal_vip | bool
- block:
- name: Creating internal SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Server Certificate key
command: >
openssl genrsa
-out "{{ internal_dir }}/internal.key" 2048
args:
creates: "{{ internal_dir }}/internal.key"
- name: Creating internal Server Certificate signing request
command: >
openssl req
-new
-key "{{ internal_dir }}/internal.key"
-out "{{ internal_dir }}/internal.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-sha256
args:
creates: "{{ internal_dir }}/internal.csr"
- name: Creating internal Server Certificate
command: >
openssl x509
-req
-in "{{ internal_dir }}/internal.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-out "{{ internal_dir }}/internal.crt"
-days 365
-sha256
args:
creates: "{{ internal_dir }}/internal.crt"
- name: Setting permissions on internal key
file:
path: "{{ internal_dir }}/internal.key"
mode: "0660"
state: file
- name: Creating internal Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
View Git Blame Copy Permalink