Currently we are setting "DNS.0 = ::1", but ::1 is not a valid
A-Label for IDNA so the certificate is not correct.
Additionally, we are setting wrong value for DNS.0 = 127.0.0.1
in the ipv4 certificate.
Finally, removing issuerAltName from both ipv4 and ipv6 certificates
as they are not needed for the jobs.
New versions of python-cryptography are more strict to check
certificates content and does not allow to have not compliant
DNS names so we need to fix the certificate to bump python-cryptography.
Note that horizont tempest plugin does not support ipaddress SANs based
certificate validation so I'm disablint certificate validation for
dashboard in this patch.
Depends-On: Iea7a4b85ac64572fac0f0ad871649a79fbc1c0f5
Change-Id: Ib519d222e07e26d3683b24359e2f67728cdd8029
Current SSL certificates have expired. This patch contain new ones
valid for 10 years and i've updated the ssl-ipv*.conf with the command
to create certificates with this expiration time.
Change-Id: Iaf4164149e3e28de8cf0367bc98e3e649bd10f87
A recent update to urllib tightened some checks around SSL [1].
This prompted an update to Devstack in order to work properly [2].
Jobs running into this problem without having a SubjectAltName
provided will see an error that looks like:
SSLError: hostname '127.0.0.1' doesn't match either of
'127.0.0.1', 'localhost'
Let's also update the certificates to provide the SubjectAltName
and provide a way to easily update the certificates if required
in the future.
[1]: df9d503a8e/CHANGES.rst (118-2016-09-26)
[2]: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=69e3c0aac99981f17c76c22111e5c397824b8428
Change-Id: I94a586b333ba6a99ef831c853a19ab127b502d6f
Alfredo Moralejo