Configuring https for the instance console¶

ldaps¶

1. Copy the protocol encryption public key ldap to /etc/keystone/domains:

   #nano /etc/keystone/domains/keystone.main.conf
   

2. In the [ldap] section, change:

   url = ldaps://0.0.0.0:636
   tls_cacertfile = /etc/keystone/domains/dc01-ldap.crt
   tls_req_cert = never
   

3. Restart the service systemctl restart keystone.

Enabling ssl on nginx¶

1. Copy the public and private keys of the server to /etc/aos/crt, change the owner of the files:

   #chown aos:aos /etc/aos/crt/*
   

2. Install the root certificate to /etc/ssl/certs/ca-certificates.crt, to do this, copy it to /usr/local/share/CA.crt and run:

   #update-ca-certificates
   #nano /etc/nginx/sites-available/dashboard.conf (top 6 lines)
   server {
       listen 443 ssl;
       server_name ssl_;
       charset utf-8;
       ssl on;
       ssl_certificate          /etc/aos/crt/aos.domain.ru.crt;
       ssl_certificate_key /etc/aos/crt/aos.domain.ru.key;
   
       root /usr/share/openstack-dashboard;
   
       client_body_temp_path      /tmp/nginx_upload;
       client_body_in_file_only   off;
       client_body_buffer_size    1M;
       client_max_body_size       100G;
   
       location / {
           try_files $uri @uwsgi;
       }
   
       location @uwsgi  {
           uwsgi_pass      127.0.0.1:3080;
           #uwsgi_pass      unix:/run/uwsgi/dashboard.sock;
           include         uwsgi_params;
           uwsgi_buffer_size 32k;
           uwsgi_buffers 8 32k;
   #       #uwsgi_param     SCRIPT_NAME  /horizon;
   #       #uwsgi_modifier1 30;
           uwsgi_read_timeout 600;
           uwsgi_send_timeout 600;
   #       uwsgi_next_upstream_timeout 600;
           uwsgi_connect_timeout 600;
   #       uwsgi_cache_lock_timeout 600;
       }
       location /static  {
           alias /var/lib/openstack-dashboard/static;
       }
       #location /horizon/static  {
       #   alias /var/lib/openstack-dashboard/static;
       #}
   }
   

3. Restart the service:

   #systemctl restart nginx
   

RSclient¶

1. Stop the RSserver service aos-rs-listener.service:

   #systemctl stop aos-rs-broker-api.service
   
   #nano /usr/lib/systemd/system/aos-rs-broker-api.service
   

2. Add paths:

   ExecStart=/usr/bin/gunicorn3 -- certfile=/etc/aos/aos.domain.ru.crt --keyfile/etc/aos/aos.domain.ru.key --bind=0.0.0.0:9365 --workers=3 --threads=10 rs_server.api.broker_api.wsgi
   

3. Update files for systemd:

   #systemctl daemon-reload
   

4. Start the service:

   #systemctl start aos-rs-broker-api.service
   

5. Create a server certificate chain file:

   #cat /etc/aos/aos.domain.crt > ./aos-certs.crt
   #cat /usr/local/share/CA.crt >> ./aos-certs.crt
   

6. Copy this chain to RSclient host, open configuration file:

   Windows:

   C:\Users\UserName\.rsclient\client.conf, add
   ca_bundle_path = C:\Users\UserName\.rsclient\aos-certs.crt
   

   Astra:

   /home/user/.rsclient/client.conf
   ca_bundle_path = /home/user/.rsclient/aos-certs.crt
   use_smartcard = False
   

Working with certificates¶

It is required to request a certificate, signed by CA MS (attrib - select the desired template “certificatetemplate: test”, test - template name):

#> certreq.exe -attrib  "certificatetemplate:test" -submit .\test-linux.csr

Save the CA response to a file:

#> certreq -retrieve 52 (Certificate ID)

Install the root certificate to /etc/ssl/certs/ca-certificates.crt.

You also need to copy certificates to nodes and controllers, in /etc/nova/nova.conf add:

ssl_only = False (perhaps True is more correct)
cert = /etc/nova/ssl/domain.ru.crt
key = /etc/nova/ssl/domain.ru.key

On the nodes in the vnc section, replace novncproxy_base_url = https://ko-controller.aos.loc:6080/vnc_auto.html.

Add the address of the current DNS server to the config.

Restart the service nova-compute.