Browse code
Do not set OS_CACERT if there is no CA cert
In openrc, if we set OS_CACERT, some things will expect it to be there
in pre-flight checks. But it may very well be missing. This "fails
closed" because if we find the file, we try to use it, but if we don't
find the file, and the user thought we should be using it, we'll just
not be able to verify the server's name, and the libs will fail on that.
Change-Id: Ia5d06afa74bc645c2f19711cfa37e57a377c329b
Closes-Bug: #1452036
Clint Byrum authored on 2015/05/06 07:00:03Showing 1 changed files
| ... | ... |
@@ -78,8 +78,14 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
|
| 78 | 78 |
# |
| 79 | 79 |
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
|
| 80 | 80 |
|
| 81 |
-# Set the pointer to our CA certificate chain. Harmless if TLS is not used. |
|
| 82 |
-export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem}
|
|
| 81 |
+# Set OS_CACERT to a default CA certificate chain if it exists. |
|
| 82 |
+if [[ ! -v OS_CACERT ]] ; then |
|
| 83 |
+ DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem |
|
| 84 |
+ # If the file does not exist, this may confuse preflight sanity checks |
|
| 85 |
+ if [ -e $DEFAULT_OS_CACERT ] ; then |
|
| 86 |
+ export OS_CACERT=$DEFAULT_OS_CACERT |
|
| 87 |
+ fi |
|
| 88 |
+fi |
|
| 83 | 89 |
|
| 84 | 90 |
# Currently novaclient needs you to specify the *compute api* version. This |
| 85 | 91 |
# needs to match the config of your catalog returned by Keystone. |