Certificates needs to be chanined and bundled

in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5 Closes-Bug: 1639426 (cherry picked from commit 61257db)
Juniper · Dec 14, 2016 · d298d9b · d298d9b
1 parent bb60e96
commit d298d9b
Showing 1 changed file with 17 additions and 24 deletions.
diff --git a/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py b/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py
@@ -102,18 +102,15 @@ def _build_auth_details(self):
             kskeyfile=cfg.CONF.keystone_authtoken.keyfile
             kscafile=cfg.CONF.keystone_authtoken.cafile
 
-            self._use_ks_certs=False
-            if cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
-                certs = []
-                if kscafile:
-                    certs.append(kscafile)
-                if kscertfile:
-                    certs.append(kscertfile)
-                if kskeyfile:
-                    certs.append(kskeyfile)
-                if certs:
-                   self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            self._use_ks_certs = False
+            if (cfg.CONF.keystone_authtoken.auth_protocol ==
+                    _DEFAULT_SECURE_SERVER_CONNECT and kscafile):
+                certs = [kscafile]
+                if kscertfile and kskeyfile:
+                    certs = [kscertfile, kskeyfile, kscafile]
+                self._kscertbundle = cfgmutils.getCertKeyCaBundle(
+                        _DEFAULT_KS_CERT_BUNDLE,certs)
+                self._use_ks_certs = True
 
         #API Server SSL support
         self._apiusessl=cfg.CONF.APISERVER.use_ssl
@@ -127,18 +124,14 @@ def _build_auth_details(self):
         else:
             self._apiserverconnect=_DEFAULT_SERVER_CONNECT
 
-        self._use_api_certs=False
-        if self._apiusessl:
-            certs = []
-            if apicafile:
-                certs.append(apicafile)
-            if apicertfile:
-                certs.append(apicertfile)
-            if apikeyfile:
-                certs.append(apikeyfile)
-            if certs:
-               self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs)
-               self._use_api_certs=True
+        self._use_api_certs = False
+        if self._apiusessl and apicafile:
+            certs = [apicafile]
+            if apicertfile and apikeyfile:
+                certs = [apicertfile, apikeyfile, apicafile]
+            self._apicertbundle = cfgmutils.getCertKeyCaBundle(
+                    _DEFAULT_API_CERT_BUNDLE,certs)
+            self._use_api_certs = True
 
 
     def _request_api_server(self, url, data=None, headers=None):