mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
Add ShiftStack legacy cert script
Resolves BZ2038166
This commit is contained in:
Max Bridges
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
0f5677529a
commit
4968d6176d
@@ -40,3 +40,6 @@ You can install a cluster on {rh-openstack} infrastructure that you provision, b
|
||||
* **xref:../../installing/installing_openstack/installing-openstack-user-kuryr.adoc#installing-openstack-user-kuryr[Installing a cluster on OpenStack with Kuryr on your own infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses Kuryr SDN.
|
||||
|
||||
* **xref:../../installing/installing_openstack/installing-openstack-user-sr-iov.adoc#installing-openstack-user-sr-iov[Installing a cluster on OpenStack on your own SR-IOV infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses single-root input/output virtualization (SR-IOV) networks to run compute machines.
|
||||
|
||||
include::modules/security-osp-validating-certificates.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
116
modules/security-osp-validating-certificates.adoc
Normal file
116
modules/security-osp-validating-certificates.adoc
Normal file
@@ -0,0 +1,116 @@
|
||||
// This is included in the following assemblies:
|
||||
//
|
||||
// * installing/installing_openstack/preparing-to-install-on-openstack.adoc
|
||||
|
||||
:_content-type: PROCEDURE
|
||||
[id="security-osp-validating-certificates_{context}"]
|
||||
= Scanning {rh-openstack} endpoints for legacy HTTPS certificates
|
||||
|
||||
Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. Run the following script to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field.
|
||||
|
||||
[IMPORTANT]
|
||||
{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the provided script to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* On the machine where you run the script, have the following software:
|
||||
** Bash version 4.0 or greater
|
||||
** `grep`
|
||||
** link:https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/command_line_interface_reference/the_openstack_client[OpenStack client]
|
||||
** link:https://stedolan.github.io/jq/[`jq`]
|
||||
** link:https://www.openssl.org/[OpenSSL version 1.1.1l or greater]
|
||||
* Populate the machine with {rh-openstack} credentials for the target cloud.
|
||||
|
||||
|
||||
.Procedure
|
||||
|
||||
. Save the following script to your machine:
|
||||
+
|
||||
[%collapsible%]
|
||||
====
|
||||
[source,bash]
|
||||
----
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -Eeuo pipefail
|
||||
|
||||
declare catalog san
|
||||
catalog="$(mktemp)"
|
||||
san="$(mktemp)"
|
||||
readonly catalog san
|
||||
|
||||
declare invalid=0
|
||||
|
||||
openstack catalog list --format json --column Name --column Endpoints \
|
||||
| jq -r '.[] | .Name as $name | .Endpoints[] | [$name, .interface, .url] | join(" ")' \
|
||||
| sort \
|
||||
> "$catalog"
|
||||
|
||||
while read -r name interface url; do
|
||||
# Ignore HTTP
|
||||
if [[ ${url#"http://"} != "$url" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
# Remove the schema from the URL
|
||||
noschema=${url#"https://"}
|
||||
|
||||
# If the schema was not HTTPS, error
|
||||
if [[ noschema == "$url" ]]; then
|
||||
echo "ERROR (unknown schema): $name $interface $url"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Remove the path and only keep host and port
|
||||
noschema="${noschema%%/*}"
|
||||
host="${noschema%%:*}"
|
||||
port="${noschema##*:}"
|
||||
|
||||
# Add the port if was implicit
|
||||
if [[ "$port" == "$host" ]]; then
|
||||
port='443'
|
||||
fi
|
||||
|
||||
# Get the SAN fields
|
||||
openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
|
||||
| openssl x509 -noout -ext subjectAltName \
|
||||
> "$san"
|
||||
|
||||
# openssl returns the empty string if no SAN is found.
|
||||
# If a SAN is found, openssl is expected to return something like:
|
||||
#
|
||||
# X509v3 Subject Alternative Name:
|
||||
# DNS:standalone, DNS:osp1, IP Address:192.168.2.1, IP Address:10.254.1.2
|
||||
if [[ "$(grep -c "Subject Alternative Name" "$san" || true)" -gt 0 ]]; then
|
||||
echo "PASS: $name $interface $url"
|
||||
else
|
||||
invalid=$((invalid+1))
|
||||
echo "INVALID: $name $interface $url"
|
||||
fi
|
||||
done < "$catalog"
|
||||
|
||||
# clean up temporary files
|
||||
rm "$catalog" "$san"
|
||||
|
||||
if [[ $invalid -gt 0 ]]; then
|
||||
echo "${invalid} legacy certificates were detected. Update your certificates to include a SAN field."
|
||||
exit 1
|
||||
else
|
||||
echo "All HTTPS certificates for this cloud are valid."
|
||||
fi
|
||||
----
|
||||
====
|
||||
|
||||
. Run the script.
|
||||
|
||||
. Replace any certificates that the script reports as `INVALID` with certificates that contain SAN fields.
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates will be rejected with the following message:
|
||||
|
||||
[source,txt]
|
||||
----
|
||||
x509: certificate relies on legacy Common Name field, use SANs instead
|
||||
----
|
||||
====
|
||||
Reference in New Issue
Block a user