ceph: mgr restful plugin set certificate to match host name

python-cephclient certificate validation fails when connecting to ceph-mgr restful plugin because server URL doesn't match CommonName (CN) or SubjectAltName (SAN). Setting CN to match server hostname fixes this issue but raises a warning caused by missing SAN. Using CN=ceph-restful and SAN=<hostname> fixes the issue and clears the warning. Change-Id: I6e8ca93c7b51546d134a6eb221c282961ba50afa Closes-bug: 1828470 Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
2019-09-06 15:12:46 +00:00 · 2019-09-06 15:12:46 +00:00 · fcaa49ecaf
parent e80813bb81
commit fcaa49ecaf
1 changed files with 21 additions and 6 deletions
--- a/ceph/ceph/files/mgr-restful-plugin.py
+++ b/ceph/ceph/files/mgr-restful-plugin.py
@ -792,12 +792,27 @@ class ServiceMonitor(object):
        path = tempfile.mkdtemp()
        try:
            try:
-                subprocess.check_call([
+                with tempfile.NamedTemporaryFile() as restful_cnf:
-                    '/usr/bin/openssl', 'req', '-new', '-nodes', '-x509',
+                    restful_cnf.write((
-                    '-subj', '/O=IT/CN=ceph-restful', '-days', '3650',
+                        '[req]\n'
-                    '-out', os.path.join(path, 'crt'),
+                        'req_extensions = v3_ca\n'
-                    '-keyout', os.path.join(path, 'key'),
+                        'distinguished_name = req_distinguished_name\n'
-                    '-extensions', 'v3_ca'])
+                        '[v3_ca]\n'
                        'subjectAltName=DNS:{}\n'
                        'basicConstraints = CA:true\n'
                        '[ req_distinguished_name ]\n'
                        '0.organizationName = IT\n'
                        'commonName = ceph-restful\n').format(
                            CONFIG.ceph_mgr_identity))
                    restful_cnf.flush()
                    subprocess.check_call([
                        '/usr/bin/openssl', 'req', '-new', '-nodes', '-x509',
                        '-subj', '/O=IT/CN=' + CONFIG.ceph_mgr_identity,
                        '-days', '3650',
                        '-config', restful_cnf.name,
                        '-out', os.path.join(path, 'crt'),
                        '-keyout', os.path.join(path, 'key'),
                        '-extensions', 'v3_ca'])
            except subprocess.CalledProcessError as err:
                raise CommandFailed(
                    command=' '.join(err.cmd),