Openstack Vault with SSL Certificates

Hello there,

I’m using an openstack base deployment with Focal and Openstack Yoga. I’ve managed to successfully set everything up and generated my own certificate with the generate-root-ca command.

However, the generate-root-ca deploys a self signed certificate for my Horizon Dashboard. I have an SSL Wildcard signed certificate that I use for all my websites, however I don’t know how to use it with my Horizon site or use it with the VAULT. When I tried to upload it to the VAULT i get a message saying that the certificate is not a CA Certificate and I assume that it is talking about my SSL Certificate. Can you provide any guidance as to how I should setup my SSL Certificate for Horizon? Sorry about it, but I have zero knowledge in terms of SSL Certificates and how it all works.

Thank you in advance for any help.

See the README for the openstack-dashboard charm. Please let me know if this works out for you.

Hi, I used that configuration to try and upload my own certificate, however, the dashboard is still serving the vault generated certificate. The new certificate somehows doesn’t override the vault provided one. Should I remove the Vault - Dashboard relation? I’ve tried from different computers, using incognito browsers and different browsers aswell, just to make sure it isn’t a cache issue.

so I made a few tests and this is what I found out:

If I link the Horizon dashboard to the VAULT with self generated root-ca, everything works out of the box but I have a self signed certificate for the dashboard. If I follow the readme to use my own SSL Certificate for the dashboard, it doesn’t override the default one from the VAULT.

If I don’t link the Horizon Dashboard to the Vault, my SSL Configuration works, however, I cannot connect to keystone since I’m not using the VAULT with self signed certificates.

Could this be do to a bug?

You could try relating the dashboard to vault. Then collecting the chain provided by vault and concatenating it with the the chain you want to use for external access to the dashboard. Then provide the ssl key, ssl cert and ssl ca (the concatenated ca) via charm config option. It may work but I think it is more likely that the charm will ignore whats provided via charm config if the vault relation is present. If this doesn’t work then I think it would be worth raising a bug