horizon: Correct SAN in SSL certs (SOC-10584)

The gensslcert script from apache-utils didn't support setting SAN values. This resulted in useless certificate which had SAN set to email:webmaster@... or (in new version) FQDN of the node where horizon was deployed. After adding new option to gensslcert, crowbar can set SAN to proper values which is especially important in HA deployments.
crowbar · Sep 4, 2020 · ce35f80 · ce35f80
1 parent 49cb640
commit ce35f80
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb
@@ -517,9 +517,14 @@
 if node[:horizon][:apache][:ssl] && node[:horizon][:apache][:generate_certs]
   package "apache2-utils"
 
+  sanDomains = []
+  sanDomains.push(CrowbarHelper.get_host_for_public_url(node, true, ha_enabled))
+  sanDomains.push(CrowbarHelper.get_host_for_admin_url(node, ha_enabled))
+  san = sanDomains.map { |d| "DNS:#{d}" }.join(",")
+
   bash "Generate Apache certificate" do
     code <<-EOH
-      (umask 377 ; /usr/bin/gensslcert -C openstack-dashboard -n openstack-dashboard)
+      (umask 377 ; /usr/bin/gensslcert -C openstack-dashboard -n openstack-dashboard -a "#{san}")
 EOH
     only_if do
       !File.size?(node[:horizon][:apache][:ssl_crt_file]) && (