Openstack Dashboard updating SSL certificate

dvnt · 7 August 2019 18:12

I’m trying to update the SSL certificate on my Openstack Dashboard by updating the ‘ssl_cert (string)’ and the ‘ssl_key (string)’ settings in the charm itsef.

My thinking is that when the certificate expires, or if I wish to change certificate provider, I should be able to do this on the charm, and not hack around on the machine itself.

It doesn’t look like the modified settings are updated on the machine itself after saving and deploying the changes.

Does anyone have any experience on this or have any ideas?

timClicks · 8 August 2019 06:57

Pinging @chris.macnaughton. Have any ideas on how to do this in a non-kludgy way?

dvnt · 8 August 2019 17:43

Interesting observation:

Even if you go hacking around on the box and replace the certicate and key files from the new certificate provider. It eventually gets overwritten by juju with the original base64 values entered on the charm at deploy time. LOL

fnordahl · 9 August 2019 10:08

Hello @dvnt and thank you for using the OpenStack Charms!

What version of the openstack-dashboard charm are you using?

What exact steps do you take to change the certificate data stored in the juju configuration?

I have just tried changing the certificate configuration in a deployment with the latest version of the openstack-dashboard charm and the new certificate data is written to disk and the Apache web server is restarted as you would expect. I have also confirmed that the served certificate changes with help from openssl s_client -connect hostname:port

While I have your attention I would like to tell you about our Certificate Lifecycle Management solution which is documented as a appendix to the OpenStack Charms Deployment Guide.

That will give you a single point of control of certificates for your entire deployment instead of dealing with individual charm configurations.

dvnt · 9 August 2019 11:01

Hey @fnordahl thanks for the response.

I’m currently on version 280 of the openstack-dashboard. I see the latest available is 288. Will upgrade and see what happens.

The steps I’ve taken to update the cert is go to the Juju Gui, open the Openstack Dashboard Charm and go down to the ‘ssl_cert (string)’ and the ‘ssl_key (string)’ settings and replace the values with updated values from my new certificate.

Thanks for the heads up on the Certificate Lifecycle Management solution. I didn’t even know there was charmed Openstack Docs available on the docs.openstack.org looks to be a real solid solution particularly for when wanting to run HTTPS on all the API entrypoints.

dvnt · 10 August 2019 02:15

Upgraded the charm to 288 this morning retried the same steps with same result.

I just gave this a bash, seems to work on the CLI.

juju config openstack-dashboard ssl_key="$(base64 /path/to/privkey.pem )" ssl_cert="$(base64 /path/to/cert.pem)"

On the Charm Home I believe there’s a typo. It reads " juju set openstack-dashboard ssl_key="$(base64 my.key)" ssl_cert="$(base64 my.cert)" - juju set does not exist