Certificates needs to be chanined and bundled

in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order 2. Making certfile/keyfile optional Closes-Bug: 1639426 Closes-Bug: 1630513 Conflicts: src/api-lib/vnc_api.py Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae
Juniper · Nov 28, 2016 · df192ce · df192ce
1 parent 4698619
commit df192ce
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 30 deletions.
diff --git a/src/api-lib/vnc_api.py b/src/api-lib/vnc_api.py
@@ -225,17 +225,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             apicafile=_read_cfg(cfg_parser,'global','cafile','')
 
             self._use_api_certs=False
-            if api_server_use_ssl:
-                certs = []
-                if apicafile:
-                    certs.append(apicafile)
-                if apicertfile:
-                    certs.append(apicertfile)
-                if apikeyfile:
-                    certs.append(apikeyfile)
-                if certs:
-                    self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
-                    self._use_api_certs=True
+            if apicafile and api_server_use_ssl:
+                certs=[apicafile]
+                if apikeyfile and apicertfile:
+                    certs=[apicertfile, apikeyfile, apicafile]
+                self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
+                self._use_api_certs=True
 
             # keystone SSL support
             try:
@@ -249,17 +244,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
             kscafile=_read_cfg(cfg_parser,'auth','cafile','')
 
             self._use_ks_certs=False
-            if self._authn_protocol == 'https':
-                certs = []
-                if kscafile:
-                    certs.append(kscafile)
-                if kscertfile:
-                    certs.append(kscertfile)
-                if kskeyfile:
-                    certs.append(kskeyfile)
-                if certs:
-                   self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            if kscafile and self._authn_protocol == 'https':
+                certs=[kscafile]
+                if kskeyfile and kscertfile:
+                    certs=[kscertfile, kskeyfile, kscafile]
+                self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs=True
 
             if 'v2' in self._authn_url:
                 self._authn_body = \

diff --git a/src/config/api-server/vnc_auth_keystone.py b/src/config/api-server/vnc_auth_keystone.py
@@ -142,10 +142,11 @@ class AuthServiceKeystone(object):
 
     def __init__(self, server_mgr, args):
         _kscertbundle=''
-        if args.certfile and args.keyfile and args.cafile \
-           and args.auth_protocol == 'https':
-               certs=[args.certfile, args.keyfile, args.cafile]
-               _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        if args.auth_protocol == 'https' and args.cafile:
+            certs=[args.cafile]
+            if args.keyfile and args.certfile:
+                certs=[args.certfile, args.keyfile, args.cafile]
+            _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
         identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
         self._conf_info = {
             'auth_host': args.auth_host,

diff --git a/src/config/vnc_openstack/vnc_openstack/__init__.py b/src/config/vnc_openstack/vnc_openstack/__init__.py
@@ -82,10 +82,12 @@ def fill_keystone_opts(obj, conf_sections):
 
     obj._kscertbundle=''
     obj._use_certs=False
-    if obj._certfile and obj._keyfile and obj._cafile:
-       certs=[obj._certfile,obj._keyfile,obj._cafile]
-       obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-       obj._use_certs=True
+    if obj._certfile:
+        certs = [obj._certfile]
+        if obj._keyfile and obj._cafile:
+            certs=[obj._certfile,obj._keyfile,obj._cafile]
+        obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        obj._use_certs=True
 
     try:
         obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')