From 68b00adb10af91217a6b64f7d889f3889186fb49 Mon Sep 17 00:00:00 2001
From: Ignatious Johnson Christopher <ijohnson@juniper.net>
Date: Mon, 21 Nov 2016 15:50:03 -0800
Subject: [PATCH] Certificates needs to be chanined and bundled in the order
 (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I9cc8a0aaf1468b77a856e5624ed2d7f7fa34ed03
Closes-Bug: 1639426
---
 .../plugins/opencontrail/contrail_plugin.py   | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
index 556cdc8..de8db88 100644
--- a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
+++ b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
@@ -102,12 +102,15 @@ def _build_auth_details(self):
             kskeyfile=cfg.CONF.keystone_authtoken.keyfile
             kscafile=cfg.CONF.keystone_authtoken.cafile
 
-            self._use_ks_certs=False
-            if kscertfile and kskeyfile and kscafile \
-               and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
-                   certs=[kscertfile, kskeyfile, kscafile]
-                   self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            self._use_ks_certs = False
+            if (cfg.CONF.keystone_authtoken.auth_protocol ==
+                    _DEFAULT_SECURE_SERVER_CONNECT and kscafile):
+                certs = [kscafile]
+                if kscertfile and kskeyfile:
+                    certs = [kscertfile, kskeyfile, kscafile]
+                self._kscertbundle = cfgmutils.getCertKeyCaBundle(
+                        _DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs = True
 
         #API Server SSL support
         self._apiusessl=cfg.CONF.APISERVER.use_ssl
@@ -121,12 +124,14 @@ def _build_auth_details(self):
         else:
             self._apiserverconnect=_DEFAULT_SERVER_CONNECT
 
-        self._use_api_certs=False
-        if apicertfile and apikeyfile and apicafile and self._apiusessl:
-               certs=[apicertfile, apikeyfile, apicafile]
-               self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs)
-               self._use_api_certs=True
-
+        self._use_api_certs = False
+        if self._apiusessl and apicafile:
+            certs = [apicafile]
+            if apicertfile and apikeyfile:
+                certs = [apicertfile, apikeyfile, apicafile]
+            self._apicertbundle = cfgmutils.getCertKeyCaBundle(
+                    _DEFAULT_API_CERT_BUNDLE,certs)
+            self._use_api_certs = True
 
     def _request_api_server(self, url, data=None, headers=None):
         # Attempt to post to Api-Server