SSL CA in devstack

I’ve  been trying to configure devstack to install SSL-enabled endpoints. This is generally straightforward but hampered by a several bugs related to server to server communication (e.g. nova to glance) where the are no options to specify the location of the issuing CA.

One workaround I’m looking at is rather than passing the CA around as a path everywhere is to add it to the system CA bundle and let the client libraries handle things. This is less-than-ideal but seems to work. I’m a Fedora guy so I use the new CA trust commands:

# cp /path/to/cacert.pem /etc/pki/ca-trust/source/anchors

OR

# cp /path/to/cacert.pem /usr/share/pki/ca-trust-source
# update-ca-trust extract
The difference between the directories is low or high priority to the CA trust tool. I’m honestly not entirely sure what that means, but the low priority version works for me.
Strangely I still need to specify the CA for some things. I haven’t yet figured that one out yet, but doing this I was able to get a vanilla OpenStack install via devstack with nova, keystone, glance and cinder secured with SSL.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s