Configuring https for the instance console¶
To configure the instance console to work via https, do the following:
ldaps¶
Copy the protocol encryption public key
ldap
to/etc/keystone/domains
:#nano /etc/keystone/domains/keystone.main.conf
In the
[ldap]
section, change:url = ldaps://0.0.0.0:636 tls_cacertfile = /etc/keystone/domains/dc01-ldap.crt tls_req_cert = never
Restart the service
systemctl restart keystone
.
Enabling ssl on nginx¶
Copy the public and private keys of the server to
/etc/aos/crt
, change the owner of the files:#chown aos:aos /etc/aos/crt/*
Install the root certificate to
/etc/ssl/certs/ca-certificates.crt
, to do this, copy it to/usr/local/share/CA.crt
and run:#update-ca-certificates #nano /etc/nginx/sites-available/dashboard.conf (top 6 lines) server { listen 443 ssl; server_name ssl_; charset utf-8; ssl on; ssl_certificate /etc/aos/crt/aos.domain.ru.crt; ssl_certificate_key /etc/aos/crt/aos.domain.ru.key; root /usr/share/openstack-dashboard; client_body_temp_path /tmp/nginx_upload; client_body_in_file_only off; client_body_buffer_size 1M; client_max_body_size 100G; location / { try_files $uri @uwsgi; } location @uwsgi { uwsgi_pass 127.0.0.1:3080; #uwsgi_pass unix:/run/uwsgi/dashboard.sock; include uwsgi_params; uwsgi_buffer_size 32k; uwsgi_buffers 8 32k; # #uwsgi_param SCRIPT_NAME /horizon; # #uwsgi_modifier1 30; uwsgi_read_timeout 600; uwsgi_send_timeout 600; # uwsgi_next_upstream_timeout 600; uwsgi_connect_timeout 600; # uwsgi_cache_lock_timeout 600; } location /static { alias /var/lib/openstack-dashboard/static; } #location /horizon/static { # alias /var/lib/openstack-dashboard/static; #} }
Restart the service:
#systemctl restart nginx
RSclient¶
Stop the RSserver service
aos-rs-listener.service
:#systemctl stop aos-rs-broker-api.service #nano /usr/lib/systemd/system/aos-rs-broker-api.service
Add paths:
ExecStart=/usr/bin/gunicorn3 -- certfile=/etc/aos/aos.domain.ru.crt --keyfile/etc/aos/aos.domain.ru.key --bind=0.0.0.0:9365 --workers=3 --threads=10 rs_server.api.broker_api.wsgi
Update files for systemd:
#systemctl daemon-reload
Start the service:
#systemctl start aos-rs-broker-api.service
Create a server certificate chain file:
#cat /etc/aos/aos.domain.crt > ./aos-certs.crt #cat /usr/local/share/CA.crt >> ./aos-certs.crt
Copy this chain to RSclient host, open configuration file:
Windows:
C:\Users\UserName\.rsclient\client.conf, add ca_bundle_path = C:\Users\UserName\.rsclient\aos-certs.crt
Astra:
/home/user/.rsclient/client.conf ca_bundle_path = /home/user/.rsclient/aos-certs.crt use_smartcard = False
Working with certificates¶
It is required to request a certificate, signed by CA MS (attrib - select the desired template “certificatetemplate: test”, test - template name):
#> certreq.exe -attrib "certificatetemplate:test" -submit .\test-linux.csr
Save the CA response to a file:
#> certreq -retrieve 52 (Certificate ID)
Install the root certificate to /etc/ssl/certs/ca-certificates.crt
.
You also need to copy certificates to nodes and controllers, in /etc/nova/nova.conf
add:
ssl_only = False (perhaps True is more correct)
cert = /etc/nova/ssl/domain.ru.crt
key = /etc/nova/ssl/domain.ru.key
On the nodes in the vnc
section, replace novncproxy_base_url = https://ko-controller.aos.loc:6080/vnc_auto.html
.
Add the address of the current DNS server to the config.
Restart the service nova-compute
.