From ce35f807e4b455d2553e5356c3f821cdbe0afd3d Mon Sep 17 00:00:00 2001
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Date: Fri, 4 Sep 2020 09:39:18 +0200
Subject: [PATCH] horizon: Correct SAN in SSL certs (SOC-10584)

The gensslcert script from apache-utils didn't support setting SAN values.
This resulted in useless certificate which had SAN set to
email:webmaster@... or (in new version) FQDN of the node where horizon
was deployed. After adding new option to gensslcert, crowbar can set SAN
to proper values which is especially important in HA deployments.
---
 chef/cookbooks/horizon/recipes/server.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb
index e1e87c7157..e87026e434 100644
--- a/chef/cookbooks/horizon/recipes/server.rb
+++ b/chef/cookbooks/horizon/recipes/server.rb
@@ -517,9 +517,14 @@
 if node[:horizon][:apache][:ssl] && node[:horizon][:apache][:generate_certs]
   package "apache2-utils"
 
+  sanDomains = []
+  sanDomains.push(CrowbarHelper.get_host_for_public_url(node, true, ha_enabled))
+  sanDomains.push(CrowbarHelper.get_host_for_admin_url(node, ha_enabled))
+  san = sanDomains.map { |d| "DNS:#{d}" }.join(",")
+
   bash "Generate Apache certificate" do
     code <<-EOH
-      (umask 377 ; /usr/bin/gensslcert -C openstack-dashboard -n openstack-dashboard)
+      (umask 377 ; /usr/bin/gensslcert -C openstack-dashboard -n openstack-dashboard -a "#{san}")
 EOH
     only_if do
       !File.size?(node[:horizon][:apache][:ssl_crt_file]) && (