[openstack-dev] [tripleo] TLS by default

Dmitry Tantsur dtantsur at redhat.com
Thu Mar 15 16:56:47 UTC 2018

On 03/15/2018 12:51 AM, Julia Kreger wrote:
> On Wed, Mar 14, 2018 at 4:52 AM, Dmitry Tantsur <dtantsur at redhat.com> wrote:
>> Just to clarify: only for public endpoints, right? I don't think e.g.
>> ironic-python-agent can talk to self-signed certificates yet.
> For what it is worth, it is possible for IPA to speak to a self signed
> certificate, although it requires injecting the signing private CA
> certificate into the ramdisk or iso image that is being used. There
> are a few other options that can be implemented, but those may also
> lower overall security posture.

Yep, that's the problem.

We can quite easily make IPA talk to custom https.

We cannot securely make IPA expose an https endpoint without using virtual media 
(not supported by tripleo, vendor-specific).

We cannot (IIUC) make iPXE use https with custom certificates without rebuilding 
the firmware from source.

> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list