diff --git a/installing/installing_openstack/preparing-to-install-on-openstack.adoc b/installing/installing_openstack/preparing-to-install-on-openstack.adoc index e0c70a76a680..1a134f507db9 100644 --- a/installing/installing_openstack/preparing-to-install-on-openstack.adoc +++ b/installing/installing_openstack/preparing-to-install-on-openstack.adoc @@ -39,3 +39,6 @@ You can install a cluster on {rh-openstack} infrastructure that you provision, b * **xref:../../installing/installing_openstack/installing-openstack-user-kuryr.adoc#installing-openstack-user-kuryr[Installing a cluster on OpenStack with Kuryr on your own infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses Kuryr SDN. * **xref:../../installing/installing_openstack/installing-openstack-user-sr-iov.adoc#installing-openstack-user-sr-iov[Installing a cluster on OpenStack on your own SR-IOV infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses single-root input/output virtualization (SR-IOV) networks to run compute machines. + +include::modules/security-osp-validating-certificates.adoc[leveloffset=+1] + diff --git a/modules/security-osp-validating-certificates.adoc b/modules/security-osp-validating-certificates.adoc new file mode 100644 index 000000000000..d2090b8e8859 --- /dev/null +++ b/modules/security-osp-validating-certificates.adoc @@ -0,0 +1,116 @@ +// This is included in the following assemblies: +// +// * installing/installing_openstack/preparing-to-install-on-openstack.adoc + +:_content-type: PROCEDURE +[id="security-osp-validating-certificates_{context}"] += Scanning {rh-openstack} endpoints for legacy HTTPS certificates + +Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. Run the following script to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field. + +[IMPORTANT] +{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the provided script to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction. + +.Prerequisites + +* On the machine where you run the script, have the following software: +** Bash version 4.0 or greater +** `grep` +** link:https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/command_line_interface_reference/the_openstack_client[OpenStack client] +** link:https://stedolan.github.io/jq/[`jq`] +** link:https://www.openssl.org/[OpenSSL version 1.1.1l or greater] +* Populate the machine with {rh-openstack} credentials for the target cloud. + + +.Procedure + +. Save the following script to your machine: ++ +[%collapsible%] +==== +[source,bash] +---- +#!/usr/bin/env bash + +set -Eeuo pipefail + +declare catalog san +catalog="$(mktemp)" +san="$(mktemp)" +readonly catalog san + +declare invalid=0 + +openstack catalog list --format json --column Name --column Endpoints \ + | jq -r '.[] | .Name as $name | .Endpoints[] | [$name, .interface, .url] | join(" ")' \ + | sort \ + > "$catalog" + +while read -r name interface url; do + # Ignore HTTP + if [[ ${url#"http://"} != "$url" ]]; then + continue + fi + + # Remove the schema from the URL + noschema=${url#"https://"} + + # If the schema was not HTTPS, error + if [[ noschema == "$url" ]]; then + echo "ERROR (unknown schema): $name $interface $url" + exit 2 + fi + + # Remove the path and only keep host and port + noschema="${noschema%%/*}" + host="${noschema%%:*}" + port="${noschema##*:}" + + # Add the port if was implicit + if [[ "$port" == "$host" ]]; then + port='443' + fi + + # Get the SAN fields + openssl s_client -showcerts -servername "$host" -connect "$host:$port" /dev/null \ + | openssl x509 -noout -ext subjectAltName \ + > "$san" + + # openssl returns the empty string if no SAN is found. + # If a SAN is found, openssl is expected to return something like: + # + # X509v3 Subject Alternative Name: + # DNS:standalone, DNS:osp1, IP Address:192.168.2.1, IP Address:10.254.1.2 + if [[ "$(grep -c "Subject Alternative Name" "$san" || true)" -gt 0 ]]; then + echo "PASS: $name $interface $url" + else + invalid=$((invalid+1)) + echo "INVALID: $name $interface $url" + fi +done < "$catalog" + +# clean up temporary files +rm "$catalog" "$san" + +if [[ $invalid -gt 0 ]]; then + echo "${invalid} legacy certificates were detected. Update your certificates to include a SAN field." + exit 1 +else + echo "All HTTPS certificates for this cloud are valid." +fi +---- +==== + +. Run the script. + +. Replace any certificates that the script reports as `INVALID` with certificates that contain SAN fields. + +[IMPORTANT] +==== +You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates will be rejected with the following message: + +[source,txt] +---- +x509: certificate relies on legacy Common Name field, use SANs instead +---- +====