Update SSL cert used in testing
The current SSL cert contains '::1' as a DNSName[1] which is clearly an
ipaddress. When PyOpenSSL is installed this causes the cert to discard
the entire SubjectAlternateName attribute which causes something like:
WARNING [urllib3.contrib.pyopenssl] A problem was encountered with the
certificate that prevented urllib3 from finding the
SubjectAlternativeName field. This can affect certificate validation.
The error was Codepoint U+003A at position 1 of u'::1' not allowed
ERROR [urllib3.connection] Certificate did not match expected hostname:
127.0.0.1. Certificate: {'subject': ((('commonName', u'*'),),),
'subjectAltName': []}
The latest release of python-glanceclient now requires PyOpenSSL causing
the wsgi unit tests to fail.
This change alters the Alternate names to:
DNS = localhost
DNS = ip6-localhost
IP Address = 127.0.0.1
IP Address = ::1
And introduces a script to regenerate the cert if needed in the future.
[1]:
DNS = localhost
DNS = ip6-localhost
DNS = 127.0.0.1
DNS = ::1
IP Address = 127.0.0.1
IP Address = ::1
Change-Id: I35fa11660b9ff778f868af98802cb40ab3e2ce60
Related-Change: Ibd43976e46a531556739eafcf326b64e33366610
This commit is contained in:
Tony Breeds
parent
008bc0b971
commit
42b0240bed
39
nova/tests/unit/ssl_cert/certificate.cnf
Normal file
39
nova/tests/unit/ssl_cert/certificate.cnf
Normal file
@ -0,0 +1,39 @@
|
||||
[ req ]
|
||||
default_md = sha512
|
||||
default_bits = 4096
|
||||
distinguished_name = req-dn
|
||||
req_extensions = req_ext
|
||||
x509_extensions = x509_ext
|
||||
string_mask = utf8only
|
||||
prompt = no
|
||||
|
||||
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
|
||||
[ x509_ext ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alternate_names
|
||||
|
||||
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
|
||||
[ req_ext ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alternate_names
|
||||
|
||||
[ req-dn ]
|
||||
C = US
|
||||
ST = Texas
|
||||
L = Austin
|
||||
O = OpenStack Foundation
|
||||
OU = OpenStack Developers
|
||||
CN = *
|
||||
|
||||
[ alternate_names ]
|
||||
DNS.1 = localhost
|
||||
DNS.2 = ip6-localhost
|
||||
IP.1 = 127.0.0.1
|
||||
IP.2 = ::1
|
||||
@ -1,12 +1,12 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIHHjCCBQagAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMCVVMx
|
||||
MIIGUjCCBDqgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMCVVMx
|
||||
DjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4xHTAbBgNVBAoTFE9wZW5T
|
||||
dGFjayBGb3VuZGF0aW9uMR0wGwYDVQQLExRPcGVuU3RhY2sgRGV2ZWxvcGVyczEQ
|
||||
MA4GA1UEAxMHVGVzdCBDQTEwMC4GCSqGSIb3DQEJARYhb3BlbnN0YWNrLWRldkBs
|
||||
aXN0cy5vcGVuc3RhY2sub3JnMB4XDTE1MDEwODAyNTQzNVoXDTI1MDEwODAyNTQz
|
||||
NVoweDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0
|
||||
aW4xHTAbBgNVBAoTFE9wZW5TdGFjayBGb3VuZGF0aW9uMR0wGwYDVQQLExRPcGVu
|
||||
U3RhY2sgRGV2ZWxvcGVyczEKMAgGA1UEAxQBKjCCAiIwDQYJKoZIhvcNAQEBBQAD
|
||||
aXN0cy5vcGVuc3RhY2sub3JnMB4XDTE3MDczMTAzMDg1MFoXDTI3MDcyOTAzMDg1
|
||||
MFoweDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0
|
||||
aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0aW9uMR0wGwYDVQQLDBRPcGVu
|
||||
U3RhY2sgRGV2ZWxvcGVyczEKMAgGA1UEAwwBKjCCAiIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggIPADCCAgoCggIBANBJtvyhMKBn397hE7x9Ce/Ny+4ENQfr9VrHuvGNCR3W/uUb
|
||||
QafdNdZCYNAGPrq2T3CEYK0IJxZjr2HuTcSK9StBMFauTeIPqVUVkO3Tjq1Rkv+L
|
||||
np/e6DhHkjCU6Eq/jIw3ic0QoxLygTybGxXgJgVoBzGsJufzOQ14tfkzGeGyE3L5
|
||||
@ -18,24 +18,19 @@ Tz53+6fs93WwnnEPto9tFRKeNWt3jx/wjluDFhhBTZO4snNIq9xnCYSEQAIsRBVW
|
||||
Ahv7LqWLigUy7a9HMIyi3tQEZN9NCDy4BNuJDu33XWLLVMwNrIiR5mdCUFoRKt/E
|
||||
+YPj7bNlzZMTSGLoBFPM71Lnfym9HazHDE1KxvT4gzYMubK4Y07meybiL4QNvU08
|
||||
ITgFU6DAGob+y/GHqw+bmez5y0F/6FlyV+SiSrbVEEtzp9Ewyrxb85OJFK0tAgMB
|
||||
AAGjggF4MIIBdDBLBgNVHREERDBCgglsb2NhbGhvc3SCDWlwNi1sb2NhbGhvc3SC
|
||||
CTEyNy4wLjAuMYIDOjoxhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMB0GA1UdDgQW
|
||||
BBSjWxD0qedj9eeGUWyGphy5PU67dDCB5QYDVR0jBIHdMIHagBQTWz2WEB0sJg9c
|
||||
xfM5JeJMIAJq0qGBtqSBszCBsDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz
|
||||
MQ8wDQYDVQQHEwZBdXN0aW4xHTAbBgNVBAoTFE9wZW5TdGFjayBGb3VuZGF0aW9u
|
||||
MR0wGwYDVQQLExRPcGVuU3RhY2sgRGV2ZWxvcGVyczEQMA4GA1UEAxMHVGVzdCBD
|
||||
QTEwMC4GCSqGSIb3DQEJARYhb3BlbnN0YWNrLWRldkBsaXN0cy5vcGVuc3RhY2su
|
||||
b3JnggkA6M8Ysv1UOGMwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAN
|
||||
BgkqhkiG9w0BAQ0FAAOCAgEAIGx/acXQEiGYFBJUduE6/Y6LBuHEVMcj0yfbLzja
|
||||
Eb35xKWHuX7tgQPwXy6UGlYM8oKIptIp/9eEuYXte6u5ncvD7e/JldCUVd0fW8hm
|
||||
fBOhfqVstcTmlfZ6WqTJD6Bp/FjUH+8qf8E+lsjNy7i0EsmcQOeQm4mkocHG1AA4
|
||||
MEeuDg33lV6XCjW450BoZ/FTfwZSuTlGgFlEzUUrAe/ETdajF9G9aJ+0OvXzE1tU
|
||||
pvbvkU8eg4pLXxrzboOhyQMEmCikdkMYjo/0ZQrXrrJ1W8mCinkJdz6CToc7nUkU
|
||||
F8tdAY0rKMEM8SYHngMJU2943lpGbQhE5B4oms8I+SMTyCVz2Vu5I43Px68Y0GUN
|
||||
Bn5qu0w2Vj8eradoPF8pEAIVICIvlbiRepPbNZ7FieSsY2TEfLtxBd2DLE1YWeE5
|
||||
p/RDBxqcDrGQuSg6gFSoLEhYgQcGnYgD75EIE8f/LrHFOAeSYEOhibFbK5G8p/2h
|
||||
EHcKZ9lvTgqwHn0FiTqZ3LWxVFsZiTsiyXErpJ2Nu2WTzo0k1xJMUpJqHuUZraei
|
||||
N5fA5YuDp2ShXRoZyVieRvp0TCmm6sHL8Pn0K8weJchYrvV1yvPKeuISN/fVCQev
|
||||
88yih5Rh5R2szwoY3uVImpd99bMm0e1bXrQug43ZUz9rC4ABN6+lZvuorDWRVI7U
|
||||
I1M=
|
||||
AAGjga0wgaowHQYDVR0OBBYEFKNbEPSp52P154ZRbIamHLk9Trt0MB8GA1UdIwQY
|
||||
MBaAFBNbPZYQHSwmD1zF8zkl4kwgAmrSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWg
|
||||
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMDsGA1UdEQQ0MDKCCWxvY2FsaG9zdIINaXA2
|
||||
LWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQ0F
|
||||
AAOCAgEAcua03v47pQUueiwM5nRxt1Tcbi79JNuGy/JL9c2bedzGumBd/dPQIEJM
|
||||
sieO/oUBxw3BSmwt+mRgLhTf6QYPVfCSZnL4YMHqayjzq4fmOOQaMPaPEy9rY1Re
|
||||
Rp/AlxpTLg2i3wQMJIR9sZ0+wcmr1yJsXn6xnLQHKJNkk+gSw3o13noZ8cEnzUtR
|
||||
C8qSvU4aXeGoBmpX/sPqpc+S82MKCdR/tjEOTDVGdKYsXW8OIDJePNhiHnuJ5M95
|
||||
vmiFlxJ6Td30ufXscXhFfmmsRoDmxamCZcS4sfQvhe1/hYBGSeJcYkaiTlqENjwJ
|
||||
BpclLBfm9sw1l8gvSd2GtNPO6tHRalIUgaBCTBmyzShEGB7SEBTuBpVAbJMz0K+W
|
||||
9FCLd7tgTxcSknz51iL3ybKZnVuwFKOm63k50GqGdUDC0zDuXoszNSLeWliQ+d/C
|
||||
mStfQ9ItFe6snbFDbTHPGk9YtYUZ48zs+8sa0QZWemMlQUjxjWHv5DIABFWVZ8ZD
|
||||
HLdAbzbmCHPP3uT1oeXqoZjhPCwCd6xoL5dlU0H/6bdfH5wUhnO1R029w+M2gzXV
|
||||
cNrmsB+Qfiiywqf5DdCVHP9yOBh83Fs82YTt+BhkWSBD4cfAm2PJ4CwOY/S+d6rD
|
||||
Vn50DqL6tYJoTlm/CjjXh3TP4hof7i9lfJjeZfoB5AFaWAVdL7s=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
15
nova/tests/unit/ssl_cert/new_cert.sh
Normal file
15
nova/tests/unit/ssl_cert/new_cert.sh
Normal file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
openssl req -new -out certificate.csr -key privatekey.key \
|
||||
-config certificate.cnf
|
||||
openssl x509 -extfile certificate.cnf -extensions x509_ext \
|
||||
-req -sha512 -days 3650 -set_serial 1 \
|
||||
-CA ca.crt -CAkey ca.key \
|
||||
-in certificate.csr -out certificate.crt
|
||||
|
||||
if [ "$1" == "--dump" ] ; then
|
||||
openssl req -in certificate.csr -text -noout > /tmp/csr.txt
|
||||
openssl x509 -in ca.crt -text -noout > /tmp/ca.txt
|
||||
openssl x509 -in certificate.crt -text -noout > /tmp/certificate.txt
|
||||
fi
|
||||
rm certificate.csr
|
||||
Loading…
x
Reference in New Issue
Block a user