Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1484531

Summary: TLS for Internal services for Neutron
Product: Red Hat OpenStack Reporter: atelang <atelang>
Component: openstack-tripleo-heat-templatesAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Artem Hrechanychenko <ahrechan>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: aavraham, amuller, apevec, chrisw, cyril, derekh, eglynn, fpercoco, jjoyce, josorior, jruzicka, jschluet, kbasil, lhh, mabrams, mburns, nkinder, nyechiel, ohochman, pkilambi, rhel-osp-director-maint, rrasouli, sbaker, shardy, srevivo, ssmolyak, thiago, tvignaud, zaitcev, zbitter
Target Milestone: betaKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.0-0.20170821194253.el7ost openstack-tripleo-common-7.4.1-0.20170818153039.7d74e83.el7ost puppet-tripleo-7.3.0-0.20170821114701.1dc48e6.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1484524
: 1484535 1486766 (view as bug list) Environment:
Last Closed: 2017-12-13 21:55:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484542, 1484547, 1484550, 1486766    

Comment 12 Juan Antonio Osorio 2017-11-08 11:03:26 UTC 
an easy way to verify neutron is to run the following command:

openssl s_client -connect <neutron internal API FQDN>:<neutron internal port>

If this succeeds neutron is running over HTTPS.

Also, neutron does not run over httpd, so I had to put a TLS proxy in front of it. We don't want to run TLS with eventlet (or in python for that matter). So, what you will notice is that the actual neutron server is actually listening on localhost and that there will be an httpd vhost that's listening in front. This is why you don't see TLS related options in the configuration or anything in the logs. The neutron server isn't necessarily aware that it's behind a TLS proxy.
Comment 13 Artem Hrechanychenko 2017-11-08 11:47:00 UTC 
VERIFIED

openstack-tripleo-common-7.6.3-0.20171028055750.el7ost.noarch
openstack-tripleo-heat-templates-7.0.3-0.20171024200823.el7ost.noarch
puppet-tripleo-7.4.3-0.20171025110206.el7ost.noarch

https://github.com/openstack/tripleo-heat-templates/blob/master/environments/tls-everywhere-endpoints-dns.yaml#L56

[heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:9696
CONNECTED(00000003)
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
   i:/O=REDHAT.LOCAL/CN=Certificate Authority
 1 s:/O=REDHAT.LOCAL/CN=Certificate Authority
   i:/O=REDHAT.LOCAL/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJTCCBA2gAwIBAgIBHTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx
MDcxOTA4MDZaFw0xOTExMDgxOTA4MDZaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB
TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y
ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUotEG
xCGtsmEyA+xsCb+UnEufmTvVYujYTqswXGFrCOlH35ZH/wKIr5qP5OqGHDpBZr2d
NLT++cAp05AuBfaoQdpXtCoFQWhWMunnszsoxAEjMryHGiGcmN0f3r9jKhOU89qy
JpDMTosBMTY8he3c4ofewi3woGpwHfNkx3DRTIBCS4VCRXdM4JgppqO9zh0vT6bl
+A059Lu1ckdjigfwFMR+4qpE9l8NiBHFGA5aVYSFMy8TScqutx1OESySwX8aqfGy
fwYXZtL9sfghAh56sdy/fouWnt38LNs6eK55BnOI3UvTvjy1XJqyE9/QgSiSiDaH
iNn7bm+6ehxPeFW9AgMBAAGjggIgMIICHDAfBgNVHSMEGDAWgBQPfJSB8YWjzBFv
yjDBPMLDQgTDDDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p
cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw
Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFFJ1rWHv72Grz9WdCOiC+KcnaLW8MIHxBgNVHREEgekwgeaC
L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs
oFEGCisGAQQBgjcUAgOgQwxBSFRUUC9vdmVyY2xvdWQtY29udHJvbGxlci0wLmlu
dGVybmFsYXBpLnJlZGhhdC5sb2NhbEBSRURIQVQuTE9DQUygYAYGKwYBBQICoFYw
VKAOGwxSRURIQVQuTE9DQUyhQjBAoAMCAQGhOTA3GwRIVFRQGy9vdmVyY2xvdWQt
Y29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2NhbDANBgkqhkiG9w0B
AQsFAAOCAQEAPJB24Q8OVm2snhla+T/n9L/qJYO9YBbd3AnDH4hSoo+FSSZqrGcd
osANlcICy1k0nUsi7oe08DRuJwU2vc1KAshYq2UJXEvHdAbNigfFYX/CTBSxzv7/
yUg17dewdi65X8J1ZvfCQI9xFB+XvrwrptM6TVNYKR5YH+At9GJFT1OAJNjNq438
7xQlXOTogcg2bVxGWSi4j+wHdDcrXJQapI8RoAe/mhHOkcWMwZ0rlZIC7zLekm06
kTrfvwK6/HIC1r59xgZMzSDHWIXiVrV2HGH9QOHLQi3acUGWfz8JKjlBOJh4BKkc
fRnLe1vCD57ZClZSJVhgBAmGgSvaDU7MDQ==
-----END CERTIFICATE-----
subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
issuer=/O=REDHAT.LOCAL/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2929 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5196D614D8E57D53CB2DBC50F6DE26C97D7F0486465011611E10157393342A0C
    Session-ID-ctx: 
    Master-Key: 3787D2B88D2C3B8160C5AE154E4F3E6C02703DDA66CF17E80AA4A118C5D06F71C7F941B69905D70241A85F41A0D15285
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c6 96 d3 dd 94 56 13 cb-65 6e dd 82 bd e4 67 e0   .....V..en....g.
    0010 - 41 25 12 2f 24 61 e4 32-0a 83 05 ac df a7 4a c7   A%./$a.2......J.
    0020 - 2a ea 35 a7 09 98 94 5a-27 c8 91 db 9c f1 8d 80   *.5....Z'.......
    0030 - 6a d4 b4 5e 94 0b e9 9a-6d df 6b 00 8d 94 bb d1   j..^....m.k.....
    0040 - 89 dd 32 5f 0c bb 15 8e-77 42 d3 0c d8 6a 43 4a   ..2_....wB...jCJ
    0050 - d9 0e ff 63 c4 bb 96 5c-80 99 e7 13 2c a0 64 09   ...c...\....,.d.
    0060 - fe 2d 37 bf 06 95 71 be-c6 d5 d6 f9 b5 a7 3b c2   .-7...q.......;.
    0070 - b8 33 ce ed de 5a a5 20-9d 4b c7 73 b3 c3 96 88   .3...Z. .K.s....
    0080 - d4 ab fb 86 01 99 28 22-87 dd 40 74 d7 39 51 4b   ......("..@t.9QK
    0090 - ae 65 73 e6 84 25 59 46-ae 12 ac 6d ab a7 54 33   .es..%YF...m..T3
    00a0 - 3a 43 63 4b 0e 78 bb 11-82 0f f0 42 52 10 99 8d   :CcK.x.....BR...
    00b0 - 38 ab d5 3a fa 85 8e 71-16 cc 0f 3a 87 1d 9c b2   8..:...q...:....

    Start Time: 1510141274
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Comment 14 Artem Hrechanychenko 2017-11-08 11:48:02 UTC 
Deployment http://tripleo.org/install/advanced_deployment/ssl.html#tls-everywhere-for-the-overcloud
http://etherpad.corp.redhat.com/osp12-internal-SSL-using-freeIPA
Comment 17 errata-xmlrpc 2017-12-13 21:55:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462