Add certificate EKUs to public endpoint cert
Add EKUS, or Extended Key Usage parameters, of id-kp-clientAuth and id-kp-serverAuth to the certificate that certmonge generates, which is used by haproxy to proxy public-facing hosts. This is necessary due to the criteria by which Firefox and related browsers validate which required extensions are acceptable when interpreting a certificate. Change-Id: Ideec7d23769e68ae1b738c0118ec061b195e3bd7 Closes-Bug: 1668775
This commit is contained in:
parent
6ba1176859
commit
48b293dde6
|
@ -24,7 +24,7 @@ tripleo::profile::base::haproxy::certificates_specs:
|
|||
service_certificate: '/etc/pki/tls/certs/undercloud-front.crt'
|
||||
service_key: '/etc/pki/tls/private/undercloud-front.key'
|
||||
hostname: "%{hiera('controller_public_host')}"
|
||||
postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}}"
|
||||
postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}} undercloud-haproxy-public-cert"
|
||||
principal: {{SERVICE_PRINCIPAL}}
|
||||
|
||||
# CA defaults
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes `bug 1668775 <https://bugs.launchpad.net/tripleo/+bug/1668775>`__ Certmonger certificate does not include EKUs
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
CERT_FILE="$1"
|
||||
KEY_FILE="$2"
|
||||
OUTPUT_FILE="$3"
|
||||
REQUEST_NICKNAME="$4"
|
||||
|
||||
if [[ -z "$CERT_FILE" || -z "$KEY_FILE" || -z "$OUTPUT_FILE" ]]; then
|
||||
echo "You need to provide CERT_FILE KEY_FILE and finally OUTPUT_FILE" \
|
||||
|
@ -12,5 +13,15 @@ if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then
|
|||
echo "Certificate and key files must exist!"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$REQUEST_NICKNAME" ]; then
|
||||
echo "Request nickname must be specified in arguments."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# add additional EKUs so clients that rely strictly on RFC5280 understand that
|
||||
# they are allowed to accept the certificate as having valid extensions
|
||||
getcert resubmit -i "$REQUEST_NICKNAME" -w -v -U id-kp-clientAuth \
|
||||
-U id-kp-serverAuth
|
||||
|
||||
cat $CERT_FILE $KEY_FILE > $OUTPUT_FILE
|
||||
systemctl reload haproxy
|
||||
|
|
Loading…
Reference in New Issue