pki work, and keystone cert generated
ignore retry files
load variables for localhost as wel
split root/intermediate generation
use array for creating server certs
configure openstack with certs from server via lookup('file',...
move root CA cert to old location, testing
indent ssl info
more places where the CA cert is used
don't have juju self-manage certs
juju requires certs be base64 encoded (not documented)
install both root/intermediate CA certs, as juju/trusty apache is too old to support chaining
provide ca/im chain to juju keystone config
yaml error
updated name for onos source per jono
fixed the onos-fabric-install role
whitespace
copy CA certs to compute node
stop wasting time
diagnostically print contents of /usr/local/share/ca-certificates/ dir
Change-Id: Idbd4891736b07690a260bf3d117c547de1ae7424
diff --git a/roles/onos-cord-install/tasks/main.yml b/roles/onos-cord-install/tasks/main.yml
index 1393570..eb1f64e 100644
--- a/roles/onos-cord-install/tasks/main.yml
+++ b/roles/onos-cord-install/tasks/main.yml
@@ -38,10 +38,13 @@
- name: Copy SSL Certs to ONOS so docker-compose can find it
copy:
- src: "/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt"
- dest: "{{ onos_cord_dest }}/xos-certs.crt"
+ src: "/usr/local/share/ca-certificates/{{ item }}"
+ dest: "{{ onos_cord_dest }}/{{ item }}"
owner: "{{ ansible_user_id }}"
remote_src: True
+ with_items:
+ - "cord_root_ca.crt"
+ - "cord_intermediate_ca.crt"
- name: Build onos image
command: docker-compose build chdir={{ onos_cord_dest }}
diff --git a/roles/onos-cord-install/templates/Dockerfile.j2 b/roles/onos-cord-install/templates/Dockerfile.j2
index a9973be..e79f87b 100644
--- a/roles/onos-cord-install/templates/Dockerfile.j2
+++ b/roles/onos-cord-install/templates/Dockerfile.j2
@@ -4,15 +4,21 @@
MAINTAINER Zack Williams <zdw@cs.arizona.edu>
# Add SSL certs
-COPY xos-certs.crt /usr/local/share/ca-certificates/xos-certs.crt
+COPY cord_root_ca.crt /usr/local/share/ca-certificates/cord_root_ca.crt
+COPY cord_intermediate_ca.crt /usr/local/share/ca-certificates/cord_intermediate_ca.crt
RUN update-ca-certificates
# Create Java KeyStore from certs
-RUN openssl x509 -in /usr/local/share/ca-certificates/xos-certs.crt \
- -outform der -out /usr/local/share/ca-certificates/xos-certs.der && \
- keytool -import -noprompt -storepass {{ trust_store_pw }} -alias xos-certs \
- -file /usr/local/share/ca-certificates/xos-certs.der \
- -keystore /usr/local/share/ca-certificates/xos-certs.jks
+RUN openssl x509 -in /usr/local/share/ca-certificates/cord_root_ca.crt \
+ -outform der -out /usr/local/share/ca-certificates/cord_root_ca.der && \
+ openssl x509 -in /usr/local/share/ca-certificates/cord_intermediate_ca.crt \
+ -outform der -out /usr/local/share/ca-certificates/cord_intermediate_ca.der && \
+ keytool -import -noprompt -storepass {{ trust_store_pw }} -alias cord_root_ca \
+ -file /usr/local/share/ca-certificates/cord_root_ca.der \
+ -keystore /usr/local/share/ca-certificates/cord_ca_certs.jks && \
+ keytool -import -noprompt -storepass {{ trust_store_pw }} -alias cord_intermediate_ca \
+ -file /usr/local/share/ca-certificates/cord_intermediate_ca.der \
+ -keystore /usr/local/share/ca-certificates/cord_ca_certs.jks
# Updated onos-service to use the jks
COPY onos-service /root/onos/bin/onos-service
diff --git a/roles/onos-cord-install/templates/onos-service.j2 b/roles/onos-cord-install/templates/onos-service.j2
index 7eef6f5..00a337e 100644
--- a/roles/onos-cord-install/templates/onos-service.j2
+++ b/roles/onos-cord-install/templates/onos-service.j2
@@ -10,7 +10,7 @@
# Do modify the keystore location/password and truststore location/password accordingly
#export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/ubuntu/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/ubuntu/onos.jks -Djavax.net.ssl.trustStorePassword=222222}"
-export JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/xos-certs.jks -Djavax.net.ssl.trustStorePassword={{ trust_store_pw }}"
+export JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/cord_ca_certs.jks -Djavax.net.ssl.trustStorePassword={{ trust_store_pw }}"
set -e # exit on error
set -u # exit on undefined variable