SSL CA in devstack

I’veĀ  been trying to configure devstack to install SSL-enabled endpoints. This is generally straightforward but hampered by a several bugs related to server to server communication (e.g. nova to glance) where the are no options to specify the location of the issuing CA.

One workaround I’m looking at is rather than passing the CA around as a path everywhere is to add it to the system CA bundle and let the client libraries handle things. This is less-than-ideal but seems to work. I’m a Fedora guy so I use the new CA trust commands:

# cp /path/to/cacert.pem /etc/pki/ca-trust/source/anchors

OR

# cp /path/to/cacert.pem /usr/share/pki/ca-trust-source
# update-ca-trust extract
The difference between the directories is low or high priority to the CA trust tool. I’m honestly not entirely sure what that means, but the low priority version works for me.
Strangely I still need to specify the CA for some things. I haven’t yet figured that one out yet, but doing this I was able to get a vanilla OpenStack install via devstack with nova, keystone, glance and cinder secured with SSL.
The Fedora feature is documented at http://fedoraproject.org/wiki/Features/SharedSystemCertificates

Leave a Reply