Bug 1877539 - [RFE] Support for creation of SSL certificates using private keys stronger than 2048bits
Summary: [RFE] Support for creation of SSL certificates using private keys stronger th...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-certmonger
Version: 16.1 (Train)
Hardware: All
OS: Linux
high
low
Target Milestone: z4
: 16.1 (Train on RHEL 8.2)
Assignee: Ade Lee
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On: 1913454
Blocks: 1920593
TreeView+ depends on / blocked
 
Reported: 2020-09-09 19:15 UTC by Siggy Sigwald
Modified: 2021-03-17 15:32 UTC (History)
11 users (show)

Fixed In Version: puppet-certmonger-2.6.0-2.20201221234915.b2f2d23.el8ost.1, puppet-tripleo-11.5.0-1.20201114030109.el8ost, openstack-tripleo-heat-templates-11.3.2-1.20210104205655.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1880142 (view as bug list)
Environment:
Last Closed: 2021-03-17 15:31:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github saltedsignal puppet-certmonger pull 27 0 None closed Adding key_size option on the certmonger_certificate creation 2021-02-11 14:14:27 UTC
OpenStack gerrit 757142 0 None MERGED Adding key_size option on the certmonger_certificate function 2021-02-11 14:14:27 UTC
OpenStack gerrit 764988 0 None MERGED Adding key_size option on the certificate creation 2021-02-11 14:14:26 UTC
OpenStack gerrit 769195 0 None MERGED Adding key_size option on the certmonger_certificate function 2021-02-11 14:14:26 UTC
OpenStack gerrit 769356 0 None MERGED Adding key_size option on the certmonger_certificate function 2021-02-11 14:14:27 UTC
OpenStack gerrit 769360 0 None MERGED Adding key_size option on the certmonger_certificate function 2021-02-11 14:14:26 UTC
OpenStack gerrit 769509 0 None MERGED Adding key_size option on the certificate creation 2021-02-11 14:14:27 UTC
OpenStack gerrit 769510 0 None MERGED Adding key_size option on the certificate creation 2021-02-11 14:14:27 UTC
OpenStack gerrit 769513 0 None MERGED Adding key_size option on the certificate creation 2021-02-11 14:14:27 UTC
Red Hat Product Errata RHBA-2021:0817 0 None None None 2021-03-17 15:32:27 UTC

Description Siggy Sigwald 2020-09-09 19:15:24 UTC 
puppet-tripleo (via the certmonger_certificate function which in turn calls the getcert binary) currently does not support creating SSL certificates having private keys stronger than 2048bits as per:

```
   certmonger_certificate { "${title}-cert":
      ensure       => 'present',
      ca           => $certmonger_ca,
      hostname     => $hostname,
      dnsname      => $dnsnames_real,
      certfile     => $service_certificate,
      keyfile      => $service_key,
      postsave_cmd => $postsave_cmd,
      principal    => $principal_real,
      eku          => ['id-kp-clientAuth', 'id-kp-serverAuth'],
      wait         => true,
      tag          => 'haproxy-cert',
      require      => Class['::certmonger'],
    }
```

The relevant function is defined at /etc/puppet/modules/certmonger/lib/puppet/provider/certmonger_certificate/certmonger_certificate.rb On top of that, there's no good way to define another default via i.e /etc/certmonger/certmonger.conf.

I also see there's a certmonger::request_ipa_cert function which supports keysize but both the undercloud and overcloud use certmonger_certificate instead:

```
tripleo/manifests/certmonger/ceph_dashboard.pp:  certmonger_certificate { 'ceph_dashboard' :
tripleo/manifests/certmonger/ceph_grafana.pp:  certmonger_certificate { 'ceph_grafana' :
tripleo/manifests/certmonger/ceph_rgw.pp:  certmonger_certificate { 'ceph_rgw' :
tripleo/manifests/certmonger/etcd.pp:  certmonger_certificate { 'etcd' :
tripleo/manifests/certmonger/haproxy.pp:    certmonger_certificate { "${title}-cert":
tripleo/manifests/certmonger/httpd.pp:  certmonger_certificate { $name :
tripleo/manifests/certmonger/libvirt.pp:  certmonger_certificate { $name :
tripleo/manifests/certmonger/libvirt_vnc.pp:  certmonger_certificate { $name :
tripleo/manifests/certmonger/metrics_qdr.pp:  certmonger_certificate { 'metrics_qdr' :
tripleo/manifests/certmonger/mysql.pp:  certmonger_certificate { 'mysql' :
tripleo/manifests/certmonger/neutron.pp:  certmonger_certificate { 'neutron' :
tripleo/manifests/certmonger/neutron_ovn.pp:  certmonger_certificate { 'neutron_ovn' :
tripleo/manifests/certmonger/novnc_proxy.pp:  certmonger_certificate { 'novnc-proxy' :
tripleo/manifests/certmonger/opendaylight.pp:  certmonger_certificate { 'opendaylight' :
tripleo/manifests/certmonger/openvswitch.pp:  certmonger_certificate { 'openvswitch' :
tripleo/manifests/certmonger/ovn_controller.pp:  certmonger_certificate { 'ovn_controller' :
tripleo/manifests/certmonger/ovn_dbs.pp:  certmonger_certificate { 'ovn_dbs' :
tripleo/manifests/certmonger/ovn_metadata.pp:  certmonger_certificate { 'ovn_metadata' :
tripleo/manifests/certmonger/ovn_octavia.pp:  certmonger_certificate { 'ovn_octavia' :
tripleo/manifests/certmonger/qemu.pp:  certmonger_certificate { $name :
tripleo/manifests/certmonger/rabbitmq.pp:  certmonger_certificate { 'rabbitmq' :
tripleo/manifests/certmonger/redis.pp:  certmonger_certificate { 'redis' :
```

Business requirement: One of our ESS standards requires us to use 3076+ bits private keys.
Comment 6 spower 2021-01-06 15:03:48 UTC 
Exception + flag given
Comment 20 errata-xmlrpc 2021-03-17 15:31:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817
Note You need to log in before you can comment on or make changes to this bug.