Configuring https for the instance console

To configure the instance console to work via https, do the following:

ldaps

  1. Copy the protocol encryption public key ldap to /etc/keystone/domains:

    #nano /etc/keystone/domains/keystone.main.conf

  2. In the [ldap] section, change:

    url = ldaps://0.0.0.0:636
tls_cacertfile = /etc/keystone/domains/dc01-ldap.crt
tls_req_cert = never

  3. Restart the service systemctl restart keystone.

Enabling ssl on nginx

  1. Copy the public and private keys of the server to /etc/aos/crt, change the owner of the files:

    #chown aos:aos /etc/aos/crt/*

  2. Install the root certificate to /etc/ssl/certs/ca-certificates.crt, to do this, copy it to /usr/local/share/CA.crt and run:

    #update-ca-certificates
#nano /etc/nginx/sites-available/dashboard.conf (top 6 lines)
server {
    listen 443 ssl;
    server_name ssl_;
    charset utf-8;
    ssl on;
    ssl_certificate          /etc/aos/crt/aos.domain.ru.crt;
    ssl_certificate_key /etc/aos/crt/aos.domain.ru.key;

    root /usr/share/openstack-dashboard;

    client_body_temp_path      /tmp/nginx_upload;
    client_body_in_file_only   off;
    client_body_buffer_size    1M;
    client_max_body_size       100G;

    location / {
        try_files $uri @uwsgi;
    }

    location @uwsgi  {
        uwsgi_pass      127.0.0.1:3080;
        #uwsgi_pass      unix:/run/uwsgi/dashboard.sock;
        include         uwsgi_params;
        uwsgi_buffer_size 32k;
        uwsgi_buffers 8 32k;
#       #uwsgi_param     SCRIPT_NAME  /horizon;
#       #uwsgi_modifier1 30;
        uwsgi_read_timeout 600;
        uwsgi_send_timeout 600;
#       uwsgi_next_upstream_timeout 600;
        uwsgi_connect_timeout 600;
#       uwsgi_cache_lock_timeout 600;
    }
    location /static  {
        alias /var/lib/openstack-dashboard/static;
    }
    #location /horizon/static  {
    #   alias /var/lib/openstack-dashboard/static;
    #}
}

  3. Restart the service:

    #systemctl restart nginx

RSclient

  1. Stop the RSserver service aos-rs-listener.service:

    #systemctl stop aos-rs-broker-api.service

#nano /usr/lib/systemd/system/aos-rs-broker-api.service

  2. Add paths:

    ExecStart=/usr/bin/gunicorn3 -- certfile=/etc/aos/aos.domain.ru.crt --keyfile/etc/aos/aos.domain.ru.key --bind=0.0.0.0:9365 --workers=3 --threads=10 rs_server.api.broker_api.wsgi

  3. Update files for systemd:

    #systemctl daemon-reload

  4. Start the service:

    #systemctl start aos-rs-broker-api.service

  5. Create a server certificate chain file:

    #cat /etc/aos/aos.domain.crt > ./aos-certs.crt
#cat /usr/local/share/CA.crt >> ./aos-certs.crt

  6. Copy this chain to RSclient host, open configuration file:

    Windows:

    C:\Users\UserName\.rsclient\client.conf, add
ca_bundle_path = C:\Users\UserName\.rsclient\aos-certs.crt

    Astra:

    /home/user/.rsclient/client.conf
ca_bundle_path = /home/user/.rsclient/aos-certs.crt
use_smartcard = False

Working with certificates

It is required to request a certificate, signed by CA MS (attrib - select the desired template “certificatetemplate: test”, test - template name):

#> certreq.exe -attrib  "certificatetemplate:test" -submit .\test-linux.csr

Save the CA response to a file:

#> certreq -retrieve 52 (Certificate ID)

Install the root certificate to /etc/ssl/certs/ca-certificates.crt.

You also need to copy certificates to nodes and controllers, in /etc/nova/nova.conf add:

ssl_only = False (perhaps True is more correct)
cert = /etc/nova/ssl/domain.ru.crt
key = /etc/nova/ssl/domain.ru.key

On the nodes in the vnc section, replace novncproxy_base_url = https://ko-controller.aos.loc:6080/vnc_auto.html.

Add the address of the current DNS server to the config.

Restart the service nova-compute.