Certificates needs to be chanined and bundled

in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order Change-Id: I9cc8a0aaf1468b77a856e5624ed2d7f7fa34ed03 Closes-Bug: 1639426
Juniper · Nov 21, 2016 · 68b00ad · 68b00ad
1 parent d757521
commit 68b00ad
Showing 1 changed file with 17 additions and 12 deletions.
diff --git a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
@@ -102,12 +102,15 @@ def _build_auth_details(self):
             kskeyfile=cfg.CONF.keystone_authtoken.keyfile
             kscafile=cfg.CONF.keystone_authtoken.cafile
 
-            self._use_ks_certs=False
-            if kscertfile and kskeyfile and kscafile \
-               and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
-                   certs=[kscertfile, kskeyfile, kscafile]
-                   self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            self._use_ks_certs = False
+            if (cfg.CONF.keystone_authtoken.auth_protocol ==
+                    _DEFAULT_SECURE_SERVER_CONNECT and kscafile):
+                certs = [kscafile]
+                if kscertfile and kskeyfile:
+                    certs = [kscertfile, kskeyfile, kscafile]
+                self._kscertbundle = cfgmutils.getCertKeyCaBundle(
+                        _DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs = True
 
         #API Server SSL support
         self._apiusessl=cfg.CONF.APISERVER.use_ssl
@@ -121,12 +124,14 @@ def _build_auth_details(self):
         else:
             self._apiserverconnect=_DEFAULT_SERVER_CONNECT
 
-        self._use_api_certs=False
-        if apicertfile and apikeyfile and apicafile and self._apiusessl:
-               certs=[apicertfile, apikeyfile, apicafile]
-               self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs)
-               self._use_api_certs=True
-
+        self._use_api_certs = False
+        if self._apiusessl and apicafile:
+            certs = [apicafile]
+            if apicertfile and apikeyfile:
+                certs = [apicertfile, apikeyfile, apicafile]
+            self._apicertbundle = cfgmutils.getCertKeyCaBundle(
+                    _DEFAULT_API_CERT_BUNDLE,certs)
+            self._use_api_certs = True
 
     def _request_api_server(self, url, data=None, headers=None):
         # Attempt to post to Api-Server