61ba93a2b0
A recent update to urllib tightened some checks around SSL [1].
This prompted an update to Devstack in order to work properly [2].
Jobs running into this problem without having a SubjectAltName
provided will see an error that looks like:
SSLError: hostname '127.0.0.1' doesn't match either of
'127.0.0.1', 'localhost'
Let's also update the certificates to provide the SubjectAltName
and provide a way to easily update the certificates if required
in the future.
[1]: df9d503a8e/CHANGES.rst (118-2016-09-26)
[2]: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=69e3c0aac99981f17c76c22111e5c397824b8428
Change-Id: I94a586b333ba6a99ef831c853a19ab127b502d6f
43 lines
994 B
Plaintext
43 lines
994 B
Plaintext
# Generate key and create a self-signed certificate:
|
|
# $ openssl req \
|
|
# -x509 \
|
|
# -config ssl-ipv4.conf \
|
|
# -newkey rsa:2048 \
|
|
# -keyform PEM \
|
|
# -out ipv4.crt \
|
|
# -outform PEM \
|
|
# -nodes
|
|
#
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = ipv4.key
|
|
default_md = sha256
|
|
default_days = 3650
|
|
prompt = no
|
|
distinguished_name = distinguished_name
|
|
req_extensions = v3_req
|
|
x509_extensions = v3_ca
|
|
|
|
[ v3_req ]
|
|
subjectAltName = @alt_names
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = CA:TRUE
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer:always
|
|
subjectAltName = @alt_names
|
|
issuerAltName = @alt_names
|
|
|
|
[alt_names]
|
|
IP.0 = 127.0.0.1
|
|
DNS.0 = 127.0.0.1
|
|
DNS.1 = localhost
|
|
|
|
[ distinguished_name ]
|
|
commonName = 127.0.0.1
|
|
countryName = US
|
|
stateOrProvinceName = North Carolina
|
|
localityName = Raleigh
|
|
organizationName = Red Hat Inc.
|
|
organizationalUnitName = OpenStack
|