Merge "Certificates needs to be chanined and bundled in the order (ce…

…rtfile, keyfile and cacert)." into R3.1

src/api-lib/vnc_api.py

@@ -222,17 +222,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             apicafile=_read_cfg(cfg_parser,'global','cafile','')
 
             self._use_api_certs=False
-            if api_server_use_ssl:
-                certs = []
-                if apicafile:
-                    certs.append(apicafile)
-                if apicertfile:
-                    certs.append(apicertfile)
-                if apikeyfile:
-                    certs.append(apikeyfile)
-                if certs:
-                    self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
-                    self._use_api_certs=True
+            if apicafile and api_server_use_ssl:
+                certs=[apicafile]
+                if apikeyfile and apicertfile:
+                    certs=[apicertfile, apikeyfile, apicafile]
+                self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
+                self._use_api_certs=True
 
             # keystone SSL support
             try:
@@ -246,17 +241,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             kscafile=_read_cfg(cfg_parser,'auth','cafile','')
 
             self._use_ks_certs=False
-            if self._authn_protocol == 'https':
-                certs = []
-                if kscafile:
-                    certs.append(kscafile)
-                if kscertfile:
-                    certs.append(kscertfile)
-                if kskeyfile:
-                    certs.append(kskeyfile)
-                if certs:
-                   self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            if kscafile and self._authn_protocol == 'https':
+                certs=[kscafile]
+                if kskeyfile and kscertfile:
+                    certs=[kscertfile, kskeyfile, kscafile]
+                self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs=True
 
             if 'v2' in self._authn_url:
                 self._authn_body = \

src/config/api-server/vnc_auth_keystone.py

@@ -141,10 +141,11 @@ class AuthServiceKeystone(object):
 
     def __init__(self, server_mgr, args):
         _kscertbundle=''
-        if args.certfile and args.keyfile and args.cafile \
-           and args.auth_protocol == 'https':
-               certs=[args.certfile, args.keyfile, args.cafile]
-               _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        if args.auth_protocol == 'https' and args.cafile:
+            certs=[args.cafile]
+            if args.keyfile and args.certfile:
+                certs=[args.certfile, args.keyfile, args.cafile]
+            _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
         identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
         self._conf_info = {
             'auth_host': args.auth_host,

src/config/vnc_openstack/vnc_openstack/__init__.py

@@ -82,10 +82,12 @@ def fill_keystone_opts(obj, conf_sections):
 
     obj._kscertbundle=''
     obj._use_certs=False
-    if obj._certfile and obj._keyfile and obj._cafile:
-       certs=[obj._certfile,obj._keyfile,obj._cafile]
-       obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-       obj._use_certs=True
+    if obj._certfile:
+        certs = [obj._certfile]
+        if obj._keyfile and obj._cafile:
+            certs=[obj._certfile,obj._keyfile,obj._cafile]
+        obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        obj._use_certs=True
 
     try:
         obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')