Merge pull request #61906 from maxwelldb/script-update-ocpbugs12934

[OCPBUGS#12934] Update RHOSP legacy HTTPS cert script

installing/installing_openstack/preparing-to-install-on-openstack.adoc

@@ -44,3 +44,5 @@ You can install a cluster on {rh-openstack} infrastructure that you provision, b
 
 include::modules/security-osp-validating-certificates.adoc[leveloffset=+1]
 
+include::modules/security-osp-validating-certificates-manually.adoc[leveloffset=+2]
+

modules/security-osp-validating-certificates-manually.adoc

@@ -0,0 +1,73 @@
+// This is included in the following assemblies:
+//
+// * installing/installing_openstack/preparing-to-install-on-openstack.adoc
+
+:_content-type: PROCEDURE
+[id="security-osp-validating-certificates-manually_{context}"]
+= Scanning {rh-openstack} endpoints for legacy HTTPS certificates manually
+
+Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. If you do not have access to the prerequisite tools that are listed in "Scanning {rh-openstack} endpoints for legacy HTTPS certificates", perform the following steps to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field.
+
+[IMPORTANT]
+====
+{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the following steps to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction.
+====
+
+.Procedure
+
+. On a command line, run the following command to view the URL of {rh-openstack} public endpoints:
++
+[source,terminal]
+----
+$ openstack catalog list
+---- 
++
+Record the URL for each HTTPS endpoint that the command returns.
+. For each public endpoint, note the host and the port. 
++
+[TIP]
+====
+Determine the host of an endpoint by removing the scheme, the port, and the path. 
+====
+
+. For each endpoint, run the following commands to extract the SAN field of the certificate:
+.. Set a `host` variable:
++
+[source,terminal]
+----
+$ host=<host_name>
+----
+.. Set a `port` variable:
++
+[source,terminal]
+----
+$ port=<port_number>
+----
++
+If the URL of the endpoint does not have a port, use the value `443`.
+.. Retrieve the SAN field of the certificate:
++
+[source,terminal]
+----
+$ openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
+    | openssl x509 -noout -ext subjectAltName
+----
++
+.Example output
+[source,terminal]
+----
+X509v3 Subject Alternative Name:
+    DNS:your.host.example.net
+----
++
+For each endpoint, look for output that resembles the previous example. If there is no output for an endpoint, the certificate of that endpoint is invalid and must be re-issued.
+
+[IMPORTANT]
+====
+You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates are rejected with the following message:
+
+[source,txt]
+----
+x509: certificate relies on legacy Common Name field, use SANs instead
+----
+====

modules/security-osp-validating-certificates.adoc

@@ -42,7 +42,7 @@ readonly catalog san
 declare invalid=0
 
 openstack catalog list --format json --column Name --column Endpoints \
-	| jq -r '.[] | .Name as $name | .Endpoints[] | [$name, .interface, .url] | join(" ")' \
+	| jq -r '.[] | .Name as $name | .Endpoints[] | select(.interface=="public") | [$name, .interface, .url] | join(" ")' \
 	| sort \
 	> "$catalog"
 
@@ -56,7 +56,7 @@ while read -r name interface url; do
 	noschema=${url#"https://"}
 	
 	# If the schema was not HTTPS, error
-	if [[ noschema == "$url" ]]; then
+	if [[ "$noschema" == "$url" ]]; then
 		echo "ERROR (unknown schema): $name $interface $url"
 		exit 2
 	fi