diff --git a/installing/installing_openstack/preparing-to-install-on-openstack.adoc b/installing/installing_openstack/preparing-to-install-on-openstack.adoc index 3bd15ca9df..8ecf10b5b2 100644 --- a/installing/installing_openstack/preparing-to-install-on-openstack.adoc +++ b/installing/installing_openstack/preparing-to-install-on-openstack.adoc @@ -44,3 +44,5 @@ You can install a cluster on {rh-openstack} infrastructure that you provision, b include::modules/security-osp-validating-certificates.adoc[leveloffset=+1] +include::modules/security-osp-validating-certificates-manually.adoc[leveloffset=+2] + diff --git a/modules/security-osp-validating-certificates-manually.adoc b/modules/security-osp-validating-certificates-manually.adoc new file mode 100644 index 0000000000..f152660b77 --- /dev/null +++ b/modules/security-osp-validating-certificates-manually.adoc @@ -0,0 +1,73 @@ +// This is included in the following assemblies: +// +// * installing/installing_openstack/preparing-to-install-on-openstack.adoc + +:_content-type: PROCEDURE +[id="security-osp-validating-certificates-manually_{context}"] += Scanning {rh-openstack} endpoints for legacy HTTPS certificates manually + +Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. If you do not have access to the prerequisite tools that are listed in "Scanning {rh-openstack} endpoints for legacy HTTPS certificates", perform the following steps to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field. + +[IMPORTANT] +==== +{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the following steps to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction. +==== + +.Procedure + +. On a command line, run the following command to view the URL of {rh-openstack} public endpoints: ++ +[source,terminal] +---- +$ openstack catalog list +---- ++ +Record the URL for each HTTPS endpoint that the command returns. +. For each public endpoint, note the host and the port. ++ +[TIP] +==== +Determine the host of an endpoint by removing the scheme, the port, and the path. +==== + +. For each endpoint, run the following commands to extract the SAN field of the certificate: +.. Set a `host` variable: ++ +[source,terminal] +---- +$ host= +---- +.. Set a `port` variable: ++ +[source,terminal] +---- +$ port= +---- ++ +If the URL of the endpoint does not have a port, use the value `443`. +.. Retrieve the SAN field of the certificate: ++ +[source,terminal] +---- +$ openssl s_client -showcerts -servername "$host" -connect "$host:$port" /dev/null \ + | openssl x509 -noout -ext subjectAltName +---- ++ +.Example output +[source,terminal] +---- +X509v3 Subject Alternative Name: + DNS:your.host.example.net +---- ++ +For each endpoint, look for output that resembles the previous example. If there is no output for an endpoint, the certificate of that endpoint is invalid and must be re-issued. + +[IMPORTANT] +==== +You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates are rejected with the following message: + +[source,txt] +---- +x509: certificate relies on legacy Common Name field, use SANs instead +---- +==== diff --git a/modules/security-osp-validating-certificates.adoc b/modules/security-osp-validating-certificates.adoc index 9b91650911..e38a59761e 100644 --- a/modules/security-osp-validating-certificates.adoc +++ b/modules/security-osp-validating-certificates.adoc @@ -42,7 +42,7 @@ readonly catalog san declare invalid=0 openstack catalog list --format json --column Name --column Endpoints \ - | jq -r '.[] | .Name as $name | .Endpoints[] | [$name, .interface, .url] | join(" ")' \ + | jq -r '.[] | .Name as $name | .Endpoints[] | select(.interface=="public") | [$name, .interface, .url] | join(" ")' \ | sort \ > "$catalog" @@ -56,7 +56,7 @@ while read -r name interface url; do noschema=${url#"https://"} # If the schema was not HTTPS, error - if [[ noschema == "$url" ]]; then + if [[ "$noschema" == "$url" ]]; then echo "ERROR (unknown schema): $name $interface $url" exit 2 fi