Adding Self-Signed Certificate for Heat and Cinder API Service Endpoints

Configuring Self-Signed Certificate for Heat API Service endpoints 

  • Update /etc/heat/heat.conf 

[DEFAULT] 

heat_metadata_server_url = https://controller:8000 

heat_waitcondition_server_url = https://controller:8000/v1/waitcondition 

[clients_keystone] 

auth_uri = https://controller:35357 

cert_file =  /etc/ssl/client.pem 

key_file =  /etc/ssl/client-key.pem 

insecure = true 

[ec2authtoken] 

auth_uri = https://controller:5000/v3 

cert_file =  /etc/ssl/client.pem 

key_file =  /etc/ssl/client-key.pem 

insecure = true 

[heat_api] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile =  /etc/ssl/client.pem 

keyfile =  /etc/ssl/client-key.pem 

insecure = true 

[trustee] 

auth_url = https://controller:35357 

  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url. Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart heat Services. 
  • Check this configuration by issuing this command openstack orchestration service list insecure 

Configuring Self-Signed Certificate for Cinder API Service endpoints 

  • Update /etc/cinder/cinder.conf 

  [keystone_authtoken] 

  cert = /etc/apache2/ssl/client.pem 

  key = /etc/apache2/ssl/apache-key.pem 

  insecure = true 

  • Update /etc/nova/nova.conf 

 [cinder] 

 certfile = /etc/apache2/ssl/client.pem  

 keyfile =  /etc/apache2/ssl/apache-key.pem 

 insecure = true 

  • Update  /etc/apache2/conf-enabled/cinder-wsgi.conf  
  • In /etc/apache2/conf-enabled/ location cinder-wsgi.conf will be available, this file is used to configure Self-Signed Certificate for Cinder API service endpoints 
  • Add the client.pem and client-key.pem in  <VirtualHost *:8776>      
  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url .Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart cinder services. 
  • Check this configuration by issuing this command openstack volume service list –insecure 

In Next post we will see about configuring Self-Signed Certificate for Horizon (Dashboard Service)

Posts created 16

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top