Hide Forgot
Description of problem: The SSL Certificate generation instructions don't configure correctly the subject alternative names and the deployment only works when the CN is set to the public vip. I am using the instructions here[1]to generate a certificate used for undercloud deployment. This is how the alt_names section looks in my openssl.cnf: [alt_names] IP.1 = 192.0.2.2 DNS.1 = instack.localdomain DNS.2 = vip.localdomain In addition to the instructions I added the cert to the system trusted store which is required for OSP8: sudo cp undercloud.pem /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract curl https://192.0.2.2:13777 works ok: [stack@instack ~]$ curl https://192.0.2.2:13777 Authentication required curl https://vip.localdomain:13777 fails: [stack@instack ~]$ curl https://vip.localdomain:13777 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. vip.localdomain resolves to 192.0.2.2 in /etc/hosts. If we check the generated certificate we can see that there is no X509v3 Subject Alternative Name extension: [stack@instack ~]$ openssl x509 -in undercloud.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9309607435479309949 (0x81325ea35e145e7d) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Queensland, L=Brisbane, O=Red Hat, OU=Red Hat, CN=192.0.2.2 Validity Not Before: Feb 29 11:19:31 2016 GMT Not After : Feb 28 11:19:31 2017 GMT Subject: C=AU, ST=Queensland, L=Brisbane, O=Red Hat, OU=Red Hat, CN=192.0.2.2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:4d:b4:61:22:3b:0d:1b:6d:00:4d:36:c8:e3: ed:8b:10:c6:9c:bb:59:9c:0b:d6:55:82:f5:ff:59: 9a:c8:e2:e4:44:30:8a:eb:61:b7:18:87:56:75:43: d1:19:97:77:a9:9d:e3:db:36:93:01:0e:81:80:a0: 34:2a:15:b8:cd:e8:3a:b9:58:ec:d0:09:bf:ae:ad: 8b:a8:23:91:b1:41:3f:c7:ac:fa:cd:51:da:89:d2: bc:f3:b4:33:21:e0:88:0b:fd:f8:8a:ea:98:59:55: 53:3e:2b:06:29:6f:59:6b:db:ee:27:2b:a2:4d:10: db:f8:15:fd:dd:ce:4f:a4:19:16:81:29:1d:6b:80: 67:0f:da:17:14:29:04:63:a3:33:4b:9d:cd:d6:c6: 99:66:c5:d0:48:db:0d:45:7a:db:5e:df:1f:86:7d: 57:ef:c0:8e:06:5a:50:8d:84:84:52:3f:50:3b:af: 85:fb:a8:84:26:67:41:8d:28:13:c2:6c:b4:f8:87: c9:0e:12:44:35:51:ec:80:ac:3a:e3:94:08:f3:81: 9a:14:46:1b:0d:7e:d5:ee:8e:aa:9d:75:95:7b:d3: 08:f8:1f:49:e8:04:6b:ce:26:60:b2:c6:79:ec:10: 0c:08:b8:fb:f3:f2:fe:9e:67:f3:1f:eb:49:7b:be: 85:69 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 49:97:C2:44:B1:10:FA:80:FE:D8:D5:29:BE:F4:53:FA:08:0B:C8:70 X509v3 Authority Key Identifier: keyid:49:97:C2:44:B1:10:FA:80:FE:D8:D5:29:BE:F4:53:FA:08:0B:C8:70 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3e:68:df:7f:ea:a4:99:52:1d:56:e4:35:bf:cd:1b:e5:2f:da: 68:f2:24:60:53:22:1d:ac:10:bc:a8:53:74:69:ba:c0:dd:0b: fe:eb:03:cc:b5:67:06:fa:51:de:3a:b6:af:68:b4:cc:90:10: b8:49:c6:a4:48:ed:d2:a9:8e:c4:bc:37:15:e3:e6:65:2d:d1: ab:64:c0:b4:61:ae:a1:17:cd:2a:b6:ce:00:df:e7:66:64:37: 97:3e:90:99:7b:a7:ca:3a:91:57:6f:44:fa:74:ba:28:ba:97: 18:05:d0:62:56:56:43:52:c6:d9:27:61:87:ee:35:3d:e7:5d: d7:b4:eb:91:b4:a5:83:1c:ea:ee:49:07:33:91:dd:9a:47:87: 6f:28:05:3c:f6:ff:82:3e:f0:ca:71:e8:78:f9:a0:0a:93:42: 58:31:fd:bf:f3:51:16:aa:74:54:5f:94:7a:f2:72:95:df:d4: 8f:ac:1a:c9:88:9e:a0:58:10:dd:b3:7a:78:c3:c9:ce:0b:7a: 12:dc:91:6a:27:8d:ef:48:1e:ef:ff:03:6b:f2:0d:8f:f0:2d: 44:68:c4:56:fb:26:3c:83:b7:16:ea:7a:79:75:71:c9:17:33: 9a:05:20:bc:15:47:16:5e:e2:97:21:7d:d5:c4:b1:d3:22:51: e5:b9:3d:6f [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/appe-SSL_Certificate_Configuration.html
Looks like this issue was addressed from these two previous bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1350736 https://bugzilla.redhat.com/show_bug.cgi?id=1341694