From 7c05eb040cfeb21641c453a4bd55f835364acd06 Mon Sep 17 00:00:00 2001
From: Ignatious Johnson Christopher <ijohnson@juniper.net>
Date: Mon, 21 Nov 2016 15:50:03 -0800
Subject: [PATCH] Certificates needs to be chanined and bundled in the order
 (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5
Closes-Bug: 1639426
(cherry picked from commit 61257dbdf6f2a11775bf2db605adc4dcc6f45068)
(cherry picked from commit d298d9b8b17fd93da54aabd7e6eaff100861aeed)
---
 .../plugins/opencontrail/contrail_plugin.py   | 41 ++++++++-----------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
index 753ae79..f64de0d 100644
--- a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
+++ b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
@@ -102,18 +102,15 @@ def _build_auth_details(self):
             kskeyfile=cfg.CONF.keystone_authtoken.keyfile
             kscafile=cfg.CONF.keystone_authtoken.cafile
 
-            self._use_ks_certs=False
-            if cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
-                certs = []
-                if kscafile:
-                    certs.append(kscafile)
-                if kscertfile:
-                    certs.append(kscertfile)
-                if kskeyfile:
-                    certs.append(kskeyfile)
-                if certs:
-                   self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            self._use_ks_certs = False
+            if (cfg.CONF.keystone_authtoken.auth_protocol ==
+                    _DEFAULT_SECURE_SERVER_CONNECT and kscafile):
+                certs = [kscafile]
+                if kscertfile and kskeyfile:
+                    certs = [kscertfile, kskeyfile, kscafile]
+                self._kscertbundle = cfgmutils.getCertKeyCaBundle(
+                        _DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs = True
 
         #API Server SSL support
         self._apiusessl=cfg.CONF.APISERVER.use_ssl
@@ -127,18 +124,14 @@ def _build_auth_details(self):
         else:
             self._apiserverconnect=_DEFAULT_SERVER_CONNECT
 
-        self._use_api_certs=False
-        if self._apiusessl:
-            certs = []
-            if apicafile:
-                certs.append(apicafile)
-            if apicertfile:
-                certs.append(apicertfile)
-            if apikeyfile:
-                certs.append(apikeyfile)
-            if certs:
-               self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs)
-               self._use_api_certs=True
+        self._use_api_certs = False
+        if self._apiusessl and apicafile:
+            certs = [apicafile]
+            if apicertfile and apikeyfile:
+                certs = [apicertfile, apikeyfile, apicafile]
+            self._apicertbundle = cfgmutils.getCertKeyCaBundle(
+                    _DEFAULT_API_CERT_BUNDLE,certs)
+            self._use_api_certs = True
 
 
     def _request_api_server(self, url, data=None, headers=None):