)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"f50f80133557b1fecf24c73387ff9d7d7764c9fb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"466eeaa8_a35227ea","updated":"2021-10-12 19:10:08.000000000","message":"\u003e Patch Set 5:\n\u003e \n\u003e \u003e Patch Set 5:\n\u003e \u003e \n\u003e \u003e \u003e Patch Set 5:\n\u003e \u003e \u003e \n\u003e \u003e \u003e \u003e Was it actually causing any failures? Because we test it in CI and it was passing fine.\n\u003e \u003e \u003e it pass the CI because not tested well, and haproxy by default configured to simple\n\u003e \u003e \u003e \n\u003e \u003e \u003e \u003e PS: Whoever reads this, do bear in mind these certificates are never to be used in production. Never.\n\u003e \u003e \u003e \"these\" certificates are fine for test. but this code used in production to sign by the external CA placed in the kolla/certificates/private/root just before deploy!\n\u003e \u003e \n\u003e \u003e I could not understand your reply. Sorry 😞 Perhaps other cores will understand better.\n\u003e \n\u003e I want to say, that the certificates role used not only for self-signed certificates on CI only. It used in production.\n\nIt should not be. It\u0027s bad by design. The description states it clearly: \"certificates Generate self-signed certificate for TLS *For Development Only*\"","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"616e7e70538fc5e0dea632a1d2bd9d5e2e69e3ca","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"44fd6cb4_ac0062ac","updated":"2021-12-31 16:39:22.000000000","message":"Happy New Year!!!","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"c21bd6de6670c0ef5e364a9a59379da062f153b7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"df10777a_5f0a8ef0","updated":"2021-12-30 19:13:59.000000000","message":"Radosław, sorry, but we can\u0027t omit neither exatension opptions nor config file.\nPlease take a look from my current production server: https://pastebin.com/70VKqaFq\n","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"980099eeac46e324bf63deed2cccf14a2a05e9b1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"32dbadf6_500c7ba6","updated":"2021-12-30 19:17:46.000000000","message":"just for sure we use this patch together with second one since ussiri till xena\n","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e8a1803f2e8f47225905d7467751f2033c688d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"84b4aff0_57635afe","updated":"2021-12-30 14:52:28.000000000","message":"let\u0027s fix these and merge","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"082455e6cdb90afd3fb872298ba1d5320750e479","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"5ec8c7fd_bb0fa1cd","updated":"2021-12-30 19:22:34.000000000","message":"lets merge as is, the CI is passed for sure\nwe need this in xena\n","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"64c8ec076175ee46d7a8626a02e1b7cb301a62f9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"7a9b4411_d0ef0363","in_reply_to":"1da75876_892e84a3","updated":"2021-12-31 16:36:02.000000000","message":"Yes, sorry, you are right. I thought we were using the ca command which is able to preserve the extensions from the csr. x509 seems to always ignore extensions from the csr.","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"ea0aeef0800b0ddebac603d07bb370d9fe8d4d8e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c953ae1b_31c6328b","in_reply_to":"44fd6cb4_ac0062ac","updated":"2021-12-31 16:40:58.000000000","message":"Happy New Year! 😊","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"31c40cafbda020bf1272eaedf014d5fa6a794c7c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a09a3540_bece0a04","in_reply_to":"466eeaa8_a35227ea","updated":"2021-10-12 19:34:29.000000000","message":"you right, but sometimes *the development only* features used in production too 😂","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7f5521883f7d5861d784dce55ac8d45aa2f9a8b7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"1da75876_892e84a3","in_reply_to":"c9c3c658_ef5e0162","updated":"2021-12-30 21:14:33.000000000","message":"the CSR file didn\u0027t handle the extensions. nevermind, I will provide the another pastebin: https://pastebin.com/4CJHzVMF\nit still don\u0027t have the altname and IP so","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"d66b0a7578789c260cb3f5df49166cd6e2104f93","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c9c3c658_ef5e0162","in_reply_to":"df10777a_5f0a8ef0","updated":"2021-12-30 20:44:37.000000000","message":"But you dropped both of them in there.","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"}],"ansible/roles/certificates/tasks/generate-backend.yml":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e8a1803f2e8f47225905d7467751f2033c688d9","unresolved":true,"context_lines":[{"line_number":40,"context_line":"    -CAkey \"{{ root_dir }}/root.key\""},{"line_number":41,"context_line":"    -CAcreateserial"},{"line_number":42,"context_line":"    -extensions v3_req"},{"line_number":43,"context_line":"    -extfile \"{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf\""},{"line_number":44,"context_line":"    -out \"{{ backend_dir }}/backend.crt\""},{"line_number":45,"context_line":"    -days 500"},{"line_number":46,"context_line":"    -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"177ce07a_351678fc","line":43,"updated":"2021-12-30 14:52:28.000000000","message":"ditto","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"64c8ec076175ee46d7a8626a02e1b7cb301a62f9","unresolved":false,"context_lines":[{"line_number":40,"context_line":"    -CAkey \"{{ root_dir }}/root.key\""},{"line_number":41,"context_line":"    -CAcreateserial"},{"line_number":42,"context_line":"    -extensions v3_req"},{"line_number":43,"context_line":"    -extfile \"{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf\""},{"line_number":44,"context_line":"    -out \"{{ backend_dir }}/backend.crt\""},{"line_number":45,"context_line":"    -days 500"},{"line_number":46,"context_line":"    -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"34554de3_63bea244","line":43,"in_reply_to":"177ce07a_351678fc","updated":"2021-12-31 16:36:02.000000000","message":"nope, see the overall discussion","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"}],"ansible/roles/certificates/tasks/generate.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b220a72645a005ba2582abeb3dfc583e42887414","unresolved":true,"context_lines":[{"line_number":46,"context_line":"        -CA \"{{ root_dir }}/root.crt\""},{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"861d373b_e73fcf20","line":50,"range":{"start_line":49,"start_character":0,"end_line":50,"end_character":65},"updated":"2021-07-06 08:37:07.000000000","message":"If we think about this in terms of a normal CA flow, this step is performed by the CA, who will not have access to our openssl config file used to generate the CSR.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"fff60b403fa2e071c3cdff0f293602282c1f571c","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        -CA \"{{ root_dir }}/root.crt\""},{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"b52e3f2a_5cb5145f","line":50,"range":{"start_line":49,"start_character":0,"end_line":50,"end_character":65},"in_reply_to":"73ac42e7_8362c737","updated":"2021-07-09 00:08:21.000000000","message":"Ideally? this \u0027extfile\u0027 would duplicate the \u0027v3_req\u0027 and \u0027alt_names\u0027 sections as is. so why we should complicate the task?","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a6bc0b1fe6d1c01937f3ce3415666a1a597e9e7b","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        -CA \"{{ root_dir }}/root.crt\""},{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d7e8ab6f_666ad66b","line":50,"range":{"start_line":49,"start_character":0,"end_line":50,"end_character":65},"in_reply_to":"861d373b_e73fcf20","updated":"2021-07-06 22:29:46.000000000","message":"If we think about this in terms of a normal CA flow, we don\u0027t have access to the CA\u0027s key used in this step.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"053d6f0c1af186181d4c2f54d20089ee472c7094","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        -CA \"{{ root_dir }}/root.crt\""},{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"73ac42e7_8362c737","line":50,"range":{"start_line":49,"start_character":0,"end_line":50,"end_character":65},"in_reply_to":"d7e8ab6f_666ad66b","updated":"2021-07-08 09:38:00.000000000","message":"Right, but this step would be performed by the CA, who does have the CA key, and not our config file. This playbook performs both requester and CA steps.\n\nI did some reading and it does seem that we need a config file including the SANs for this step. Ideally it would be a different one, including only the necessary info, but this is for development so I suppose we can keep it simple.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e8a1803f2e8f47225905d7467751f2033c688d9","unresolved":true,"context_lines":[{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"a867de02_0c6b28c6","line":50,"updated":"2021-12-30 14:52:28.000000000","message":"this line should not be needed","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"64c8ec076175ee46d7a8626a02e1b7cb301a62f9","unresolved":false,"context_lines":[{"line_number":47,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":48,"context_line":"        -CAcreateserial"},{"line_number":49,"context_line":"        -extensions v3_req"},{"line_number":50,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla.cnf\""},{"line_number":51,"context_line":"        -out \"{{ external_dir }}/external.crt\""},{"line_number":52,"context_line":"        -days 365"},{"line_number":53,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"0e561d4f_813844ad","line":50,"in_reply_to":"a867de02_0c6b28c6","updated":"2021-12-31 16:36:02.000000000","message":"nope, see the overall discussion","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e8a1803f2e8f47225905d7467751f2033c688d9","unresolved":true,"context_lines":[{"line_number":117,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":118,"context_line":"        -CAcreateserial"},{"line_number":119,"context_line":"        -extensions v3_req"},{"line_number":120,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf\""},{"line_number":121,"context_line":"        -out \"{{ internal_dir }}/internal.crt\""},{"line_number":122,"context_line":"        -days 365"},{"line_number":123,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"d3d671eb_bbee5019","line":120,"updated":"2021-12-30 14:52:28.000000000","message":"ditto","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"64c8ec076175ee46d7a8626a02e1b7cb301a62f9","unresolved":false,"context_lines":[{"line_number":117,"context_line":"        -CAkey \"{{ root_dir }}/root.key\""},{"line_number":118,"context_line":"        -CAcreateserial"},{"line_number":119,"context_line":"        -extensions v3_req"},{"line_number":120,"context_line":"        -extfile \"{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf\""},{"line_number":121,"context_line":"        -out \"{{ internal_dir }}/internal.crt\""},{"line_number":122,"context_line":"        -days 365"},{"line_number":123,"context_line":"        -sha256"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"173b3b45_ed7fba7f","line":120,"in_reply_to":"d3d671eb_bbee5019","updated":"2021-12-31 16:36:02.000000000","message":"nope, see the overall discussion","commit_id":"6409d62650193b217faa0d18885b37cb1ec247a2"}],"ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b220a72645a005ba2582abeb3dfc583e42887414","unresolved":true,"context_lines":[{"line_number":1,"context_line":"[req]"},{"line_number":2,"context_line":"prompt \u003d no"},{"line_number":3,"context_line":"distinguished_name \u003d req_distinguished_name"},{"line_number":4,"context_line":"req_extensions \u003d v3_req"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"[req_distinguished_name]"},{"line_number":7,"context_line":"countryName \u003d US"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"205d02c7_996f3014","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":23},"updated":"2021-07-06 08:37:07.000000000","message":"It\u0027s listed as an extension here, and this file is used to generate the CSR.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a6bc0b1fe6d1c01937f3ce3415666a1a597e9e7b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"[req]"},{"line_number":2,"context_line":"prompt \u003d no"},{"line_number":3,"context_line":"distinguished_name \u003d req_distinguished_name"},{"line_number":4,"context_line":"req_extensions \u003d v3_req"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"[req_distinguished_name]"},{"line_number":7,"context_line":"countryName \u003d US"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"9b24eb65_ab66bf63","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":23},"in_reply_to":"205d02c7_996f3014","updated":"2021-07-06 22:29:46.000000000","message":"Sure, CSR is generated with valid extension.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b220a72645a005ba2582abeb3dfc583e42887414","unresolved":true,"context_lines":[{"line_number":8,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":9,"context_line":"localityName \u003d RTP"},{"line_number":10,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":11,"context_line":"{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}"},{"line_number":12,"context_line":"commonName \u003d {{ kolla_internal_fqdn }}"},{"line_number":13,"context_line":"{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[v3_req]"},{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"a5a97ee7_706901b8","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":11},"updated":"2021-07-06 08:37:07.000000000","message":"I don\u0027t think it makes sense for this to be conditional. Either we include a CN, or not.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"fff60b403fa2e071c3cdff0f293602282c1f571c","unresolved":false,"context_lines":[{"line_number":8,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":9,"context_line":"localityName \u003d RTP"},{"line_number":10,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":11,"context_line":"{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}"},{"line_number":12,"context_line":"commonName \u003d {{ kolla_internal_fqdn }}"},{"line_number":13,"context_line":"{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[v3_req]"},{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"67125c46_21828a6d","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":11},"in_reply_to":"14992def_3f731314","updated":"2021-07-09 00:08:21.000000000","message":"ok. lets always omit.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"053d6f0c1af186181d4c2f54d20089ee472c7094","unresolved":false,"context_lines":[{"line_number":8,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":9,"context_line":"localityName \u003d RTP"},{"line_number":10,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":11,"context_line":"{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}"},{"line_number":12,"context_line":"commonName \u003d {{ kolla_internal_fqdn }}"},{"line_number":13,"context_line":"{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[v3_req]"},{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"14992def_3f731314","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":11},"in_reply_to":"3d5ba32a_30e2cd8f","updated":"2021-07-08 09:38:00.000000000","message":"I agree that it should be possible to omit the CN. What I\u0027m saying is that we should either always include it, or always omit.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a6bc0b1fe6d1c01937f3ce3415666a1a597e9e7b","unresolved":false,"context_lines":[{"line_number":8,"context_line":"stateOrProvinceName \u003d NC"},{"line_number":9,"context_line":"localityName \u003d RTP"},{"line_number":10,"context_line":"organizationalUnitName \u003d kolla"},{"line_number":11,"context_line":"{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}"},{"line_number":12,"context_line":"commonName \u003d {{ kolla_internal_fqdn }}"},{"line_number":13,"context_line":"{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[v3_req]"},{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"3d5ba32a_30e2cd8f","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":11},"in_reply_to":"a5a97ee7_706901b8","updated":"2021-07-06 22:29:46.000000000","message":"Take a look at the openssl-kolla-backend.cnf it without CN and it still valid.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b220a72645a005ba2582abeb3dfc583e42887414","unresolved":true,"context_lines":[{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[alt_names]"},{"line_number":19,"context_line":"IP.1 \u003d {{ kolla_internal_vip_address }}"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"955dee14_6eadf66f","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":39},"updated":"2021-07-06 08:37:07.000000000","message":"This stackoverflow answer is a bit easier to digest than the RFC: https://stackoverflow.com/a/5937270.\n\nFollowing RFC6125, we should definitely keep the FQDN in the SAN.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a6bc0b1fe6d1c01937f3ce3415666a1a597e9e7b","unresolved":false,"context_lines":[{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[alt_names]"},{"line_number":19,"context_line":"IP.1 \u003d {{ kolla_internal_vip_address }}"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"fd30557d_3931ce59","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":39},"in_reply_to":"955dee14_6eadf66f","updated":"2021-07-06 22:29:46.000000000","message":"4.1.2.6 says \u0027MAY be carried in the subject field AND/OR the subjectAltName extension\u0027. AND/OR!!!\nthe case when we use FQDN its reasonable to place it in the subject, and altName as always keep the IP.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"fff60b403fa2e071c3cdff0f293602282c1f571c","unresolved":false,"context_lines":[{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[alt_names]"},{"line_number":19,"context_line":"IP.1 \u003d {{ kolla_internal_vip_address }}"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"7a639297_a0510e8d","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":39},"in_reply_to":"9ffc7b3f_437995f0","updated":"2021-07-09 00:08:21.000000000","message":"ok. will move the FQDN to the SAN.","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"053d6f0c1af186181d4c2f54d20089ee472c7094","unresolved":false,"context_lines":[{"line_number":16,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[alt_names]"},{"line_number":19,"context_line":"IP.1 \u003d {{ kolla_internal_vip_address }}"}],"source_content_type":"text/x-jinja2","patch_set":1,"id":"9ffc7b3f_437995f0","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":39},"in_reply_to":"fd30557d_3931ce59","updated":"2021-07-08 09:38:00.000000000","message":"RFC6125 says clients may ignore the subject, and use only the SAN. We should therefore include both FQDN and VIP in the SAN. I would suggest:\n\n{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}\nDNS.1 \u003d {{ kolla_internal_fqdn }}\n{% endif %}\nIP.1 \u003d {{ kolla_internal_fqdn }}","commit_id":"610f18d8eb9f06fd6e47f7555acddd043e8060b8"}]}
