From fcaa49ecaf002b97e450cb9e8d41b9d2c2094d67 Mon Sep 17 00:00:00 2001
From: Daniel Badea <daniel.badea@windriver.com>
Date: Fri, 6 Sep 2019 15:12:46 +0000
Subject: [PATCH] ceph: mgr restful plugin set certificate to match host name

python-cephclient certificate validation fails when connecting
to ceph-mgr restful plugin because server URL doesn't match
CommonName (CN) or SubjectAltName (SAN).

Setting CN to match server hostname fixes this issue but
raises a warning caused by missing SAN.

Using CN=ceph-restful and SAN=<hostname> fixes the issue
and clears the warning.

Change-Id: I6e8ca93c7b51546d134a6eb221c282961ba50afa
Closes-bug: 1828470
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
---
 ceph/ceph/files/mgr-restful-plugin.py | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/ceph/ceph/files/mgr-restful-plugin.py b/ceph/ceph/files/mgr-restful-plugin.py
index d92737a7e..9320d0d21 100644
--- a/ceph/ceph/files/mgr-restful-plugin.py
+++ b/ceph/ceph/files/mgr-restful-plugin.py
@@ -792,12 +792,27 @@ class ServiceMonitor(object):
         path = tempfile.mkdtemp()
         try:
             try:
-                subprocess.check_call([
-                    '/usr/bin/openssl', 'req', '-new', '-nodes', '-x509',
-                    '-subj', '/O=IT/CN=ceph-restful', '-days', '3650',
-                    '-out', os.path.join(path, 'crt'),
-                    '-keyout', os.path.join(path, 'key'),
-                    '-extensions', 'v3_ca'])
+                with tempfile.NamedTemporaryFile() as restful_cnf:
+                    restful_cnf.write((
+                        '[req]\n'
+                        'req_extensions = v3_ca\n'
+                        'distinguished_name = req_distinguished_name\n'
+                        '[v3_ca]\n'
+                        'subjectAltName=DNS:{}\n'
+                        'basicConstraints = CA:true\n'
+                        '[ req_distinguished_name ]\n'
+                        '0.organizationName = IT\n'
+                        'commonName = ceph-restful\n').format(
+                            CONFIG.ceph_mgr_identity))
+                    restful_cnf.flush()
+                    subprocess.check_call([
+                        '/usr/bin/openssl', 'req', '-new', '-nodes', '-x509',
+                        '-subj', '/O=IT/CN=' + CONFIG.ceph_mgr_identity,
+                        '-days', '3650',
+                        '-config', restful_cnf.name,
+                        '-out', os.path.join(path, 'crt'),
+                        '-keyout', os.path.join(path, 'key'),
+                        '-extensions', 'v3_ca'])
             except subprocess.CalledProcessError as err:
                 raise CommandFailed(
                     command=' '.join(err.cmd),