Configuring https for the instance console

To configure the instance console to work via https, do the following:

ldaps

  1. Copy the protocol encryption public key ldap to /etc/keystone/domains:

    #nano /etc/keystone/domains/keystone.main.conf
    
  2. In the [ldap] section, change:

    url = ldaps://0.0.0.0:636
    tls_cacertfile = /etc/keystone/domains/dc01-ldap.crt
    tls_req_cert = never
    
  3. Restart the service systemctl restart keystone.

Enabling ssl on nginx

  1. Copy the public and private keys of the server to /etc/aos/crt, change the owner of the files:

    #chown aos:aos /etc/aos/crt/*
    
  2. Install the root certificate to /etc/ssl/certs/ca-certificates.crt, to do this, copy it to /usr/local/share/CA.crt and run:

    #update-ca-certificates
    #nano /etc/nginx/sites-available/dashboard.conf (top 6 lines)
    server {
        listen 443 ssl;
        server_name ssl_;
        charset utf-8;
        ssl on;
        ssl_certificate          /etc/aos/crt/aos.domain.ru.crt;
        ssl_certificate_key /etc/aos/crt/aos.domain.ru.key;
    
        root /usr/share/openstack-dashboard;
    
        client_body_temp_path      /tmp/nginx_upload;
        client_body_in_file_only   off;
        client_body_buffer_size    1M;
        client_max_body_size       100G;
    
        location / {
            try_files $uri @uwsgi;
        }
    
        location @uwsgi  {
            uwsgi_pass      127.0.0.1:3080;
            #uwsgi_pass      unix:/run/uwsgi/dashboard.sock;
            include         uwsgi_params;
            uwsgi_buffer_size 32k;
            uwsgi_buffers 8 32k;
    #       #uwsgi_param     SCRIPT_NAME  /horizon;
    #       #uwsgi_modifier1 30;
            uwsgi_read_timeout 600;
            uwsgi_send_timeout 600;
    #       uwsgi_next_upstream_timeout 600;
            uwsgi_connect_timeout 600;
    #       uwsgi_cache_lock_timeout 600;
        }
        location /static  {
            alias /var/lib/openstack-dashboard/static;
        }
        #location /horizon/static  {
        #   alias /var/lib/openstack-dashboard/static;
        #}
    }
    
  3. Restart the service:

    #systemctl restart nginx
    

RSclient

  1. Stop the RSserver service aos-rs-listener.service:

    #systemctl stop aos-rs-broker-api.service
    
    #nano /usr/lib/systemd/system/aos-rs-broker-api.service
    
  2. Add paths:

    ExecStart=/usr/bin/gunicorn3 -- certfile=/etc/aos/aos.domain.ru.crt --keyfile/etc/aos/aos.domain.ru.key --bind=0.0.0.0:9365 --workers=3 --threads=10 rs_server.api.broker_api.wsgi
    
  3. Update files for systemd:

    #systemctl daemon-reload
    
  4. Start the service:

    #systemctl start aos-rs-broker-api.service
    
  5. Create a server certificate chain file:

    #cat /etc/aos/aos.domain.crt > ./aos-certs.crt
    #cat /usr/local/share/CA.crt >> ./aos-certs.crt
    
  6. Copy this chain to RSclient host, open configuration file:

    Windows:

    C:\Users\UserName\.rsclient\client.conf, add
    ca_bundle_path = C:\Users\UserName\.rsclient\aos-certs.crt
    

    Astra:

    /home/user/.rsclient/client.conf
    ca_bundle_path = /home/user/.rsclient/aos-certs.crt
    use_smartcard = False
    

Working with certificates

It is required to request a certificate, signed by CA MS (attrib - select the desired template “certificatetemplate: test”, test - template name):

#> certreq.exe -attrib  "certificatetemplate:test" -submit .\test-linux.csr

Save the CA response to a file:

#> certreq -retrieve 52 (Certificate ID)

Install the root certificate to /etc/ssl/certs/ca-certificates.crt.

You also need to copy certificates to nodes and controllers, in /etc/nova/nova.conf add:

ssl_only = False (perhaps True is more correct)
cert = /etc/nova/ssl/domain.ru.crt
key = /etc/nova/ssl/domain.ru.key

On the nodes in the vnc section, replace novncproxy_base_url = https://ko-controller.aos.loc:6080/vnc_auto.html.

Add the address of the current DNS server to the config.

Restart the service nova-compute.