)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"17d9363cce497169218929b1ab6687f5b5e756e5","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Xing Zhang \u003cangeiv.zhang@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2019-09-04 15:27:10 +0800"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"use DNS on subjectAltName for IPv6"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"According to [1], Subject Alternative Name can use:"},{"line_number":10,"context_line":"The subject alternative name extension allows various literal values"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_81ebb7ae","line":7,"range":{"start_line":7,"start_character":26,"end_line":7,"end_character":34},"updated":"2019-09-07 15:12:54.000000000","message":"in the proposed change it is simply used for any; best skip this part of subject","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"17d9363cce497169218929b1ab6687f5b5e756e5","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"use DNS on subjectAltName for IPv6"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"According to [1], Subject Alternative Name can use:"},{"line_number":10,"context_line":"The subject alternative name extension allows various literal values"},{"line_number":11,"context_line":"to be included in the configuration file. These include"},{"line_number":12,"context_line":"email (an email address) URI a uniform resource indicator,"},{"line_number":13,"context_line":"DNS (a DNS domain name), RID (a registered ID: OBJECT IDENTIFIER),"},{"line_number":14,"context_line":"IP (an IP address), dirName (a distinguished name) and otherName."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The IP address used in the IP options can be in either IPv4 or IPv6 format."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"We can use DNS for IPv4 only, IPv6 only and dual stack."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_01d7c7ef","line":16,"range":{"start_line":9,"start_character":0,"end_line":16,"end_character":75},"updated":"2019-09-07 15:12:54.000000000","message":"nit: I am fine with such descriptions in general but this is overly verbose for the thing being fixed here. Though leaving or removing is up to you. I am fine with either anyway.","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"17d9363cce497169218929b1ab6687f5b5e756e5","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"[1] https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Partially implements: blueprint ipv6-control-plane"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Change-Id: Ibad8f8c734984aeda8ddac1a5db39875bc242bbf"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_c10a0f89","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":50},"updated":"2019-09-07 15:12:54.000000000","message":"thanks for hitting this","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"}],"ansible/roles/certificates/templates/openssl-kolla.cnf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"700202e15825ed59a4787fc8691f21a8979e1e18","unresolved":false,"context_lines":[{"line_number":7,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":8,"context_line":"localityName \u003d RTP"},{"line_number":9,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":10,"context_line":"commonName \u003d {{ kolla_external_fqdn }}"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"[v3_req]"},{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"7faddb67_d130da09","line":10,"updated":"2019-09-05 14:15:13.000000000","message":"We already allow the FQDN, through commonName.","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"17d9363cce497169218929b1ab6687f5b5e756e5","unresolved":false,"context_lines":[{"line_number":7,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":8,"context_line":"localityName \u003d RTP"},{"line_number":9,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":10,"context_line":"commonName \u003d {{ kolla_external_fqdn }}"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"[v3_req]"},{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_e1ab8b72","line":10,"in_reply_to":"7faddb67_d130da09","updated":"2019-09-07 15:12:54.000000000","message":"But we should have it also in subjectAltName per current best practices, see https://support.google.com/chrome/a/answer/7391219","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"700202e15825ed59a4787fc8691f21a8979e1e18","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"7faddb67_fc012d05","line":16,"updated":"2019-09-05 14:15:13.000000000","message":"Why not include both?\n\nAlso, if kolla_external_fqdn \u003d\u003d kolla_external_vip_address then we probably don\u0027t want to include DNS.1.","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"17d9363cce497169218929b1ab6687f5b5e756e5","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_61b1dbe1","line":16,"in_reply_to":"5faad753_399d7759","updated":"2019-09-07 15:12:54.000000000","message":"Dual stack is not currently supported.\n\nThe only thing I am worried about is the case \"kolla_external_fqdn \u003d\u003d kolla_external_vip_address\" which Mark has already mentioned. Then DNS.1 would have invalid format and IP.1 could actually be required (never checked). This is rare practice to use certs with IP addresses anyway so I am in favor of the proposed change.","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87915226ddb97ef29a5b523a0f52489b81481682","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_f7133e65","line":16,"in_reply_to":"5faad753_3efd393a","updated":"2019-09-09 13:35:56.000000000","message":"We can\u0027t dictate that our users must use FQDNs with certificates.\n\nIf we add DNS.1 and IP.1, then it should work when accessing with either name or IP. If FQDN \u003d\u003d VIP, then omit DNS.1.","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":21757,"name":"Xing Zhang","email":"angeiv.zhang@gmail.com","username":"angeiv"},"change_message_id":"0f44faa5800108d6b1d5d369d2722ade2ecf9659","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_3efd393a","line":16,"in_reply_to":"5faad753_61b1dbe1","updated":"2019-09-09 01:57:38.000000000","message":"Need to add a condition for the case \"kolla_external_fqdn \u003d\u003d kolla_external_vip_address\" like:\n\n  {% set kolla_external_fqdn_real \u003d \u0027example.com\u0027 if kolla_external_fqdn \u003d\u003d kolla_external_vip_address %}\n  DNS.1 \u003d {{ kolla_external_fqdn_real }}","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"da8a0bd583669dacd856afe7afb8d4f17cac7a35","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_843ab295","line":16,"in_reply_to":"5faad753_f7133e65","updated":"2019-09-10 16:48:07.000000000","message":"\u003e If FQDN \u003d\u003d VIP, then omit DNS.1.\n\n+1","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"},{"author":{"_account_id":21757,"name":"Xing Zhang","email":"angeiv.zhang@gmail.com","username":"angeiv"},"change_message_id":"582ca047b587447a03461fb540235f7b08dc882f","unresolved":false,"context_lines":[{"line_number":13,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[alt_names]"},{"line_number":16,"context_line":"DNS.1 \u003d {{ kolla_external_fqdn }}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"5faad753_399d7759","line":16,"in_reply_to":"7faddb67_fc012d05","updated":"2019-09-06 02:47:15.000000000","message":"Or, just ignore IP verification like other websites, only a few websites will verify ip address. We can check review.opendev.org as an example.\n\n\nIf add both IP.1 and DNS.1 , also need to add IPv6 address to IP.2 when deploy on dual stack deployment, which is not implement yet, otherwise we will get an error like:\n\n    SSLError: SSL exception connecting to https://site.test.domain:5000/v3/auth/tokens: hostname \u0027site.test.domain\u0027 dosen\u0027t match 100.100.100.100\n\nclient uses IPv6 to connect with web while TLS only have IPv4 in IP.1","commit_id":"6bee91c58dec3f6b3b7df49b1a75be557682222d"}]}