8.8. Securing OpenStack API traffic with SSL

Note

Only one SSL certificate can be added and applied for both the admin panel and OpenStack API.

Traffic to and from the public endpoint that listens to OpenStack API requests can be secured with an SSL certificate. However, as domain names are not used by default, the certificate will need a subjectAltName field containing the aforementioned management node IP address. If it does not have such a field, you will need to modify the public endpoint to use a domain name that you have a certificate for.

To secure public OpenStack API traffic with SSL, do the following:

  1. In the admin panel, upload the SSL certificate and private key, on the Settings > Management node > SSL access screen.

    Note

    When you create, reconfigure, or destroy the HA cluster, the current certificate is overwritten by a self-signed one generated by the system. You will need to re-upload your certificate and key after completing either operation.

  2. On the client side, place the CA certificate file to the operating system’s trusted bundle:

    # cp ca.pem /etc/pki/ca-trust/source/anchors/
    # update-ca-trust extract
    

    Alternatively, you can append the --os-cacert ca.pem option to each OpenStack client call.

  3. If your certificate does not have the subjectAltName field, modify all public endpoints to use the domain name for which you have the certificate for, as described in Setting a DNS name for the compute API. This domain name must resolve to the management node IP address (or to its virtual IP address if high availability is enabled).

  4. In your OpenRC script, change OS_AUTH_URL to the same domain name and remove all parameters related to insecure access. For example:

    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=<ADMIN_PASSWORD>
    export OS_AUTH_URL=https://<DOMAIN_NAME>:5000/v3
    export OS_IDENTITY_API_VERSION=3
    

Now you can run OpenStack commands without the --insecure option.