openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b77bdd24f8fa2b9f7cd7f23904adc2875eb3ed3d
openshift-docs/modules/security-osp-validating-certificates.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

117 lines
3.6 KiB
Plaintext
Raw Blame History

// This is included in the following assemblies:
//
// * installing/installing_openstack/preparing-to-install-on-openstack.adoc
:_mod-docs-content-type: PROCEDURE
[id="security-osp-validating-certificates_{context}"]
= Scanning {rh-openstack} endpoints for legacy HTTPS certificates
Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. Run the following script to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field.
[IMPORTANT]
{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the provided script to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction.
.Prerequisites
* On the machine where you run the script, have the following software:
** Bash version 4.0 or greater
** `grep`
** link:https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/command_line_interface_reference/the_openstack_client[OpenStack client]
** link:https://stedolan.github.io/jq/[`jq`]
** link:https://www.openssl.org/[OpenSSL version 1.1.1l or greater]
* Populate the machine with {rh-openstack} credentials for the target cloud.
.Procedure
. Save the following script to your machine:
+
[%collapsible]
====
[source,bash]
----
#!/usr/bin/env bash
set -Eeuo pipefail
declare catalog san
catalog="$(mktemp)"
san="$(mktemp)"
readonly catalog san
declare invalid=0
openstack catalog list --format json --column Name --column Endpoints \
| jq -r '.[] | .Name as $name | .Endpoints[] | select(.interface=="public") | [$name, .interface, .url] | join(" ")' \
| sort \
> "$catalog"
while read -r name interface url; do
# Ignore HTTP
if [[ ${url#"http://"} != "$url" ]]; then
continue
fi
# Remove the schema from the URL
noschema=${url#"https://"}
# If the schema was not HTTPS, error
if [[ "$noschema" == "$url" ]]; then
echo "ERROR (unknown schema): $name $interface $url"
exit 2
fi
# Remove the path and only keep host and port
noschema="${noschema%%/*}"
host="${noschema%%:*}"
port="${noschema##*:}"
# Add the port if was implicit
if [[ "$port" == "$host" ]]; then
port='443'
fi
# Get the SAN fields
openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
| openssl x509 -noout -ext subjectAltName \
> "$san"
# openssl returns the empty string if no SAN is found.
# If a SAN is found, openssl is expected to return something like:
#
# X509v3 Subject Alternative Name:
# DNS:standalone, DNS:osp1, IP Address:192.168.2.1, IP Address:10.254.1.2
if [[ "$(grep -c "Subject Alternative Name" "$san" || true)" -gt 0 ]]; then
echo "PASS: $name $interface $url"
else
invalid=$((invalid+1))
echo "INVALID: $name $interface $url"
fi
done < "$catalog"
# clean up temporary files
rm "$catalog" "$san"
if [[ $invalid -gt 0 ]]; then
echo "${invalid} legacy certificates were detected. Update your certificates to include a SAN field."
exit 1
else
echo "All HTTPS certificates for this cloud are valid."
fi
----
====
. Run the script.
. Replace any certificates that the script reports as `INVALID` with certificates that contain SAN fields.
[IMPORTANT]
====
You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates will be rejected with the following message:
[source,txt]
----
x509: certificate relies on legacy Common Name field, use SANs instead
----
====
View Git Blame Copy Permalink