trusted_ssl_ca does not configure /etc/ca-certificates.conf or land file in proper directory for system CA trust
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-openstack-service-checks |
Fix Released
|
Critical
|
Joe Guo |
Bug Description
When troubleshooting an updated vault-issued CA being fed into the charm-openstack
1. If you're using multiple CA keys in the bundle such as an intermediate CA that also signed the vault CA, c_rehash appears to ignore any but the first key in the file (openstack-
2. newer versions of update-
3. Because update-
Tested on bionic openstack-
ca-certificates
Related branches
- Xav Paice (community): Approve
- 🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
- Linda Guo (community): Approve
-
Diff: 24 lines (+13/-0)1 file modifiedsrc/lib/lib_openstack_service_checks.py (+13/-0)
tags: | added: cpe-onsite |
Changed in charm-openstack-service-checks: | |
status: | In Progress → Fix Committed |
Changed in charm-openstack-service-checks: | |
status: | Fix Committed → Fix Released |
Workarounds:
1. If you have multiple certs in the bundle, login to openstack- service- checks/ 0 and separate each certificate in /usr/local/ share/ca- certificates/ openstack- service- checks. crt into it's own separate file in /usr/share/ ca-certificates (such as openstack- service- checks- 1.crt and openstack- service- checks- 2.crt).
2. login to the openstack- service- checks/ 0 unit and run the following as root share/ca- certificates/ openstack- service- checks. crt /usr/share/ ca-certificates /openstack- service- checks. crt ca-certificates /openstack- service- checks. crt service- checks. crt >> /etc/ca- certificates. conf ca-certificates
cp /usr/local/
chmod 644 /usr/share/
echo openstack-
update-