Created attachment 1140162 [details] san_ip.crt Description of problem: SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension. I updated the enable-tls.yaml to use ip address instead of hostname(sed -i 's/CLOUDNAME/IP_ADDRESS/'). The public VIP of the overcloud is 172.16.23.10. Deployment fails with the following error: Authorization Failed: SSL exception connecting to https://172.16.23.10:13000/v2.0/tokens: hostname '172.16.23.10' doesn't match either of 'cloudy.net', 'overcloud.cloudy.net' The certificate contains the SAN extension: X509v3 Subject Alternative Name: IP Address:172.16.23.10, IP Address:2001:DB8:FD00:1000:0:0:0:10, DNS:cloudy.net, DNS:overcloud.cloudy.net curl seems to be working: curl https://172.16.23.10:13000/v2.0/tokens {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} The overcloud deployment succeeds when using 'cloudy.net' as CloudName so I'd say the certificate validation is successful but I believe the openstack client does not check the IP address in the SAN extenstion. According to the RFC this should be suported: https://tools.ietf.org/html/rfc2818#section-3.1 In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch How reproducible: 100% Additional info: Attaching the certificate.
doc_text for the release please
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
This should be fixed already.
wait, nevermind, I'll take a look.
Working on release notes entry.
added 1321179 to release notes: osp11 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/release_notes/ osp10 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/ osp9 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html-single/release_notes/ osp8 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/8/html-single/release_notes/ osp7 - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html-single/release_notes/
Discussed with Ozz, closing bug.