Configuring Self-Signed Certificate for Nova API Service endpoints 

  • Update /etc/nova/nova.conf 

[DEFAULT] 

ssl_only = True   

cert = /etc/ssl/client.pem 

key = /etc/ssl/client-key.pem 

enabled_ssl_apis = osapi_compute,metadata 

[glance] 

api_servers = https://controller:9292 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • The Placement API service endpoints also should be configured with Self-Signed certificate for nova. 
  • In /etc/apache2/sites-available/ location nova-placement-api.conf will be available,this file is used to configure Self-Signed Certificate for  Placement API service endpoints 
  •  Add the client.pem and client-key.pem in  <VirtualHost *:8778>      

[placement] 

auth_url = https://controller:35357/v3 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

[vnc] 

novncproxy_base_url = https://controller:6080/vnc_auto.html 

[wsgi] 

ssl_cert_file = /etc/ssl/client.pem 

ssl_key_file = /etc/ssl/client-key.pem 

  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url .Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart nova services. 
  • Check this configuration by issuing this command openstack compute service insecure 
  • Check the cells and placement API by issuing this command nova-status upgrade check  

Configuring Self-Signed Certificate for Neutron API Service endpoints 

  • Update /etc/neutron/neutron.conf 

[DEFAULT] 

use_ssl = true 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/apache.key 

insecure = true 

[nova] 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

insecure = true 

keyfile = /etc/ssl/client-key.pem 

[ssl] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

  • Update /etc/nova/nova.conf 

[neutron] 

url = https://controller:9696 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url .Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart neutron services and nova-api service. 
  • Check this configuration by issuing this command openstack network agent list —insecure 

we will see about Configuring Self-signed SSL for Cinder (Volume Service) and Heat (Orchestration Service) in Next Post

Posts created 16

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top