From 6409d62650193b217faa0d18885b37cb1ec247a2 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Mon, 5 Jul 2021 17:26:57 +0300 Subject: [PATCH] Fix usage of Subject Alternative Name for TLS All TLS certificates are incorrectly generated in the 'certificates' role. The generated certificates don't contain both the 'X509v3 extensions' and 'X509v3 Subject Alternative Name' blocks at all. This change fixes the 'openssl x509' commands used to generate all the certificates to include the 'Subject Alternative Name'. Also, this change fixes both internal and external templates to constantly use alternative names as described in the RFCs [1] [2]. We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or 'kolla_external_fqdn' is set. 1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2 Closes-Bug: #1935978 Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9 Signed-off-by: Maksim Malchuk --- ansible/roles/certificates/tasks/generate-backend.yml | 2 ++ ansible/roles/certificates/tasks/generate.yml | 4 ++++ .../certificates/templates/openssl-kolla-internal.cnf.j2 | 4 +--- ansible/roles/certificates/templates/openssl-kolla.cnf.j2 | 4 +--- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ansible/roles/certificates/tasks/generate-backend.yml b/ansible/roles/certificates/tasks/generate-backend.yml index 341f5dcdb7..edb7789134 100644 --- a/ansible/roles/certificates/tasks/generate-backend.yml +++ b/ansible/roles/certificates/tasks/generate-backend.yml @@ -39,6 +39,8 @@ -CA "{{ root_dir }}/root.crt" -CAkey "{{ root_dir }}/root.key" -CAcreateserial + -extensions v3_req + -extfile "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf" -out "{{ backend_dir }}/backend.crt" -days 500 -sha256 diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index fe16f46891..b38f8ab41f 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -46,6 +46,8 @@ -CA "{{ root_dir }}/root.crt" -CAkey "{{ root_dir }}/root.key" -CAcreateserial + -extensions v3_req + -extfile "{{ kolla_certificates_dir }}/openssl-kolla.cnf" -out "{{ external_dir }}/external.crt" -days 365 -sha256 @@ -114,6 +116,8 @@ -CA "{{ root_dir }}/root.crt" -CAkey "{{ root_dir }}/root.key" -CAcreateserial + -extensions v3_req + -extfile "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf" -out "{{ internal_dir }}/internal.crt" -days 365 -sha256 diff --git a/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 index 0fc84f2bd4..e413130323 100644 --- a/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 +++ b/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 @@ -8,7 +8,6 @@ countryName = US stateOrProvinceName = NC localityName = RTP organizationalUnitName = kolla -commonName = {{ kolla_internal_fqdn }} [v3_req] subjectAltName = @alt_names @@ -16,6 +15,5 @@ subjectAltName = @alt_names [alt_names] {% if kolla_internal_fqdn != kolla_internal_vip_address %} DNS.1 = {{ kolla_internal_fqdn }} -{% else %} -IP.1 = {{ kolla_internal_fqdn }} {% endif %} +IP.1 = {{ kolla_internal_vip_address }} diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 index a0273720dd..0e828df6b7 100644 --- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 +++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 @@ -8,7 +8,6 @@ countryName = US stateOrProvinceName = NC localityName = RTP organizationalUnitName = kolla -commonName = {{ kolla_external_fqdn }} [v3_req] subjectAltName = @alt_names @@ -16,6 +15,5 @@ subjectAltName = @alt_names [alt_names] {% if kolla_external_fqdn != kolla_external_vip_address %} DNS.1 = {{ kolla_external_fqdn }} -{% else %} -IP.1 = {{ kolla_external_fqdn }} {% endif %} +IP.1 = {{ kolla_external_vip_address }}