This is a blog with random OpenStack and Linux related notes so I don't forget things. If you find something inaccurate or that could be fixed, please file a bug report here.

View on GitHub

Back to home

11 August 2016

Certificates for the undercloud's public endpoints using FreeIPA

by Juan Antonio Osorio Robles

TripleO’s undercloud has the option to auto-generate certificates for its public endpoints (hopefully soon I’ll add the same option for the admin and internal ones). This is based on certmonger. Being certmonger able to get certificates from FreeIPA, we’ll do just that.

FreeIPA setup

It is assumed that you have FreeIPA running somewhere. Else, you can follow this post by Adam Young to install it quickly, or you could even use Heat to install it.

First of all, we need to register the undercloud node as a host in FreeIPA. For this, we need an account that’s able to do this. So, making sure we have the appropriate permissions and that we have a kerberos ticket that’s valid. We add the host to FreeIPA as the following:

ipa host-add undercloud.walrusdomain --password=MySecret --force

Remember to use your own domain here.

This will give you an output such as the following:

Added host "undercloud.walrusdomain"
  Host name: undercloud.walrusdomain
  Password: True
  Keytab: False
  Managed by: undercloud.walrusdomain

You might aso need an appropriate service for HAProxy in the undercloud. We can add it with the following command:

ipa service-add haproxy/undercloud.walrusdomain@WALRUSDOMAIN --force

Make sure that the hostname, the domain and the kerberos realm are appropriate to your deployment. Once the aforementioned command was ran, you’ll see output such as the following:

Added service "haproxy/undercloud.walrusdomain@WALRUSDOMAIN"
  Principal: haproxy/undercloud.walrusdomain@WALRUSDOMAIN
  Managed by: undercloud.walrusdomain

Once we have this ready, we need to log in the undercloud node and enroll it as a FreeIPA client.

Undercloud enrollment to FreeIPA

Please note that we need to make sure we have access to the FreeIPA server node from the undercloud. Also, the undercloud’s domain needs to match the kerberos realm that FreeIPA manages. Finally, the undercloud’s FQDN must match the host that was created in FreeIPA. So, with this in mind, we can do the enrollment:

# Install needed FreeIPA client package
sudo yum install -y ipa-client
# Enroll host to FreeIPA
sudo ipa-client-install --server ipa.walrusdomain --password=MySecret \
    --domain=walrusdomain --unattended

Once this is done, in FreeIPA we can now see the following:

$ ipa host-show undercloud.walrusdomain
  Host name: undercloud.walrusdomain
  Principal name: host/undercloud.walrusdomain@WALRUSDOMAIN
  Password: False
  Keytab: True
  Managed by: undercloud.walrusdomain
  SSH public key fingerprint: 70:01:26:83:99:98:9C:60:07:FA:E7:48:AD:4B:13:1E (ssh-rsa),
                              C9:48:BC:55:CE:89:A8:14:A5:7C:B0:3F:85:86:E0:11 (ssh-ed25519),
                              CB:D4:09:3D:3B:1E:6B:FB:70:A4:0C:2C:1C:50:B3:C6 (ecdsa-sha2-nistp256)

Noting that the OTP is no longer usable (Password: False) and the Keytab is set to True, which means we have a keytab in that host that we can use for authenticating.

Now, in the undercloud node, we need to get the kerberos ticket in order to be able to request our certificate:

sudo kinit -k -t /etc/krb5.keytab

We can verify that we indeed have a kerberos ticket with the following command:

sudo klist

Which should give the output that resembles this:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/undercloud.walrusdomain@WALRUSDOMAIN

Valid starting       Expires              Service principal
08/11/2016 11:48:08  08/12/2016 11:48:08  krbtgt/WALRUSDOMAIN@WALRUSDOMAIN

Undercloud setup

Now we have everything we need. So for the undercloud to be able to request certificates from FreeIPA, we need to add the following values to the undercloud.conf file.

# With this we will make HAProxy bind to this hostname, so it will use the IP
# that hostname has. It will also get the keystone endpoints to use a hostname
# instead of an IP.
undercloud_public_vip = undercloud.walrusdomain
# This will tell the undercloud to use certmonger to autogenerate the
# certificate.
generate_service_certificate = true
# This will tell certmonger to use FreeIPA as the CA for those certificates.
certificate_generation_ca = IPA
# This is the service principal that we created for HAProxy
service_principal = haproxy/undercloud.walrusdomain@WALRUSDOMAIN

Having changed these values, we can run this to install or re-install the undercloud:

openstack undercloud install

Once this is done, we can verify that the public keystone endpoints are listening on https like this:

# Keystone v3
openstack endpoint list
# Keystone v2
openstack endpoint list --long

Furtherly, we can check that certmonger is tracking the service certificate:

sudo getcert list

Which should show something like this:

Request ID 'undercloud-haproxy-public-cert':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/undercloud-front.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/undercloud-front.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=WALRUSDOMAIN
        subject: CN=undercloud.walrusdomain,O=WALRUSDOMAIN
        expires: 2018-08-12 12:12:09 UTC
        principal name: haproxy/undercloud.walrusdomain@WALRUSDOMAIN
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: /usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' /etc/pki/tls/certs/undercloud-undercloud.walrusdomain.pem
        track: yes
        auto-renew: yes

tags: tripleo - freeipa

Back to home