Certificates needs to be chanined and bundled

in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order 2. Making certfile/keyfile optional Closes-Bug: 1639426 Closes-Bug: 1630513 Conflicts: src/api-lib/vnc_api.py Change-Id: I599389972824c1cad37962306fac023bf16ce91c
Juniper · Nov 28, 2016 · 60192ce · 60192ce
1 parent a195316
commit 60192ce
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 17 deletions.
diff --git a/src/api-lib/vnc_api.py b/src/api-lib/vnc_api.py
@@ -222,11 +222,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             apicafile=_read_cfg(cfg_parser,'global','cafile','')
 
             self._use_api_certs=False
-            if apicertfile and apikeyfile \
-               and apicafile and api_server_use_ssl:
+            if apicafile and api_server_use_ssl:
+                certs=[apicafile]
+                if apikeyfile and apicertfile:
                     certs=[apicertfile, apikeyfile, apicafile]
-                    self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
-                    self._use_api_certs=True
+                self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
+                self._use_api_certs=True
 
             # keystone SSL support
             try:
@@ -240,11 +241,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             kscafile=_read_cfg(cfg_parser,'auth','cafile','')
 
             self._use_ks_certs=False
-            if kscertfile and kskeyfile and kscafile \
-               and self._authn_protocol == 'https':
-                   certs=[kscertfile, kskeyfile, kscafile]
-                   self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            if kscafile and self._authn_protocol == 'https':
+                certs=[kscafile]
+                if kskeyfile and kscertfile:
+                    certs=[kscertfile, kskeyfile, kscafile]
+                self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs=True
 
             if 'v2' in self._authn_url:
                 self._authn_body = \

diff --git a/src/config/api-server/vnc_auth_keystone.py b/src/config/api-server/vnc_auth_keystone.py
@@ -142,10 +142,11 @@ class AuthServiceKeystone(object):
 
     def __init__(self, server_mgr, args):
         _kscertbundle=''
-        if args.certfile and args.keyfile and args.cafile \
-           and args.auth_protocol == 'https':
-               certs=[args.certfile, args.keyfile, args.cafile]
-               _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        if args.auth_protocol == 'https' and args.cafile:
+            certs=[args.cafile]
+            if args.keyfile and args.certfile:
+                certs=[args.certfile, args.keyfile, args.cafile]
+            _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
         identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
         self._conf_info = {
             'auth_host': args.auth_host,

diff --git a/src/config/vnc_openstack/vnc_openstack/__init__.py b/src/config/vnc_openstack/vnc_openstack/__init__.py
@@ -78,10 +78,12 @@ def fill_keystone_opts(obj, conf_sections):
 
     obj._kscertbundle=''
     obj._use_certs=False
-    if obj._certfile and obj._keyfile and obj._cafile:
-       certs=[obj._certfile,obj._keyfile,obj._cafile]
-       obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-       obj._use_certs=True
+    if obj._certfile:
+        certs = [obj._certfile]
+        if obj._keyfile and obj._cafile:
+            certs=[obj._certfile,obj._keyfile,obj._cafile]
+        obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        obj._use_certs=True
 
     try:
         obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')