From 8f9db69c814767f118c2040bbb2ec0cc0664776f Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 22 Jun 2018 15:38:37 -0700 Subject: [PATCH] Don't use snakeoil files with real certs The refstack puppetry is set up to use snakeoil certs by default which is great for bootstrapping; however, our production instance has real certificate issued to it and we shouldn't write that to the snakeoil cerrt files to avoid confusion. Specificy refstack specific certificate, key, and intermediate chain file locations to clean this up and allow us to revert our snakeoil certs to proper untrusted self signed certs. Change-Id: Ibbcdd93a2ae38d9063b1f88f90ebdaadcac9b585 --- manifests/site.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/site.pp b/manifests/site.pp index 0a045d8aa7..14ff6dd2de 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -730,8 +730,11 @@ node /^refstack\d*\.openstack\.org$/ { mysql_user => hiera('refstack_mysql_user', 'refstack'), mysql_user_password => hiera('refstack_mysql_password'), ssl_cert_content => hiera('refstack_ssl_cert_file_contents'), + ssl_cert => '/etc/ssl/certs/refstack.pem', ssl_key_content => hiera('refstack_ssl_key_file_contents'), + ssl_key => '/etc/ssl/private/refstack.key', ssl_ca_content => hiera('refstack_ssl_chain_file_contents'), + ssl_ca => '/etc/ssl/certs/refstack.ca.pem', protocol => 'https', } mysql_backup::backup_remote { 'refstack':