puppet-tripleo (via the certmonger_certificate function which in turn calls the getcert binary) currently does not support creating SSL certificates having private keys stronger than 2048bits as per: ``` certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, hostname => $hostname, dnsname => $dnsnames_real, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal_real, eku => ['id-kp-clientAuth', 'id-kp-serverAuth'], wait => true, tag => 'haproxy-cert', require => Class['::certmonger'], } ``` The relevant function is defined at /etc/puppet/modules/certmonger/lib/puppet/provider/certmonger_certificate/certmonger_certificate.rb On top of that, there's no good way to define another default via i.e /etc/certmonger/certmonger.conf. I also see there's a certmonger::request_ipa_cert function which supports keysize but both the undercloud and overcloud use certmonger_certificate instead: ``` tripleo/manifests/certmonger/ceph_dashboard.pp: certmonger_certificate { 'ceph_dashboard' : tripleo/manifests/certmonger/ceph_grafana.pp: certmonger_certificate { 'ceph_grafana' : tripleo/manifests/certmonger/ceph_rgw.pp: certmonger_certificate { 'ceph_rgw' : tripleo/manifests/certmonger/etcd.pp: certmonger_certificate { 'etcd' : tripleo/manifests/certmonger/haproxy.pp: certmonger_certificate { "${title}-cert": tripleo/manifests/certmonger/httpd.pp: certmonger_certificate { $name : tripleo/manifests/certmonger/libvirt.pp: certmonger_certificate { $name : tripleo/manifests/certmonger/libvirt_vnc.pp: certmonger_certificate { $name : tripleo/manifests/certmonger/metrics_qdr.pp: certmonger_certificate { 'metrics_qdr' : tripleo/manifests/certmonger/mysql.pp: certmonger_certificate { 'mysql' : tripleo/manifests/certmonger/neutron.pp: certmonger_certificate { 'neutron' : tripleo/manifests/certmonger/neutron_ovn.pp: certmonger_certificate { 'neutron_ovn' : tripleo/manifests/certmonger/novnc_proxy.pp: certmonger_certificate { 'novnc-proxy' : tripleo/manifests/certmonger/opendaylight.pp: certmonger_certificate { 'opendaylight' : tripleo/manifests/certmonger/openvswitch.pp: certmonger_certificate { 'openvswitch' : tripleo/manifests/certmonger/ovn_controller.pp: certmonger_certificate { 'ovn_controller' : tripleo/manifests/certmonger/ovn_dbs.pp: certmonger_certificate { 'ovn_dbs' : tripleo/manifests/certmonger/ovn_metadata.pp: certmonger_certificate { 'ovn_metadata' : tripleo/manifests/certmonger/ovn_octavia.pp: certmonger_certificate { 'ovn_octavia' : tripleo/manifests/certmonger/qemu.pp: certmonger_certificate { $name : tripleo/manifests/certmonger/rabbitmq.pp: certmonger_certificate { 'rabbitmq' : tripleo/manifests/certmonger/redis.pp: certmonger_certificate { 'redis' : ``` Business requirement: One of our ESS standards requires us to use 3076+ bits private keys.
Exception + flag given
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0817