)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"72e255676f80d8ae5c0909bcf229cc9eae13f3f5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5dedb9be_7a9e23b0","updated":"2023-04-18 11:09:08.000000000","message":"recheck - retry limits","commit_id":"931695475cbb261678e4571c2523bf6bd4c2bef5"}],"defaults/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"319ce4f0e160d1f302c2774bb1869fe1a515a94d","unresolved":true,"context_lines":[{"line_number":338,"context_line":"keystone_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default(\u0027TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\u0027) }}\""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"# Set these variables to deploy custom certificates"},{"line_number":341,"context_line":"#keystone_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":342,"context_line":"#keystone_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":343,"context_line":"#keystone_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"# Set to true when terminating SSL/TLS at a load balancer"},{"line_number":346,"context_line":"keystone_external_ssl: \"{{ (haproxy_ssl | default(True)) | bool }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"879690ca_178443af","line":343,"range":{"start_line":341,"start_character":0,"end_line":343,"end_character":69},"updated":"2023-04-08 06:43:33.000000000","message":"if you set these variables as described then a cert chain will not be built in this role from them, and it will fail\n\nneed to either update the comments/releasenote for this to say that _cert needs to be a chain with the intermediate, or have the chain constructed in-role.","commit_id":"339dfb2e0e12c9d9f1a034539852ef6a9d144b4a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"63d268ee1556b82c93d0f706f970323f6013a273","unresolved":true,"context_lines":[{"line_number":338,"context_line":"keystone_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default(\u0027TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\u0027) }}\""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"# Set these variables to deploy custom certificates"},{"line_number":341,"context_line":"#keystone_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":342,"context_line":"#keystone_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":343,"context_line":"#keystone_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"# Set to true when terminating SSL/TLS at a load balancer"},{"line_number":346,"context_line":"keystone_external_ssl: \"{{ (haproxy_ssl | default(True)) | bool }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"f46ebe4e_8914f653","line":343,"range":{"start_line":341,"start_character":0,"end_line":343,"end_character":69},"in_reply_to":"879690ca_178443af","updated":"2023-04-08 10:20:33.000000000","message":"what do you mean? if you define custom certificates, then your custom CA is defined by SSLCACertificateFile in apache config.\n\nI didn\u0027t change that behavior, that\u0027s how it used to work before.","commit_id":"339dfb2e0e12c9d9f1a034539852ef6a9d144b4a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"32b41be172cf2c05c74f42c73ac5f8dbdd1d53d9","unresolved":false,"context_lines":[{"line_number":338,"context_line":"keystone_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default(\u0027TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\u0027) }}\""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"# Set these variables to deploy custom certificates"},{"line_number":341,"context_line":"#keystone_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":342,"context_line":"#keystone_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":343,"context_line":"#keystone_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"# Set to true when terminating SSL/TLS at a load balancer"},{"line_number":346,"context_line":"keystone_external_ssl: \"{{ (haproxy_ssl | default(True)) | bool }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"4b81a0b4_92a56a43","line":343,"range":{"start_line":341,"start_character":0,"end_line":343,"end_character":69},"in_reply_to":"ab3c8ea4_732e34ca","updated":"2023-04-14 13:22:20.000000000","message":"Done","commit_id":"339dfb2e0e12c9d9f1a034539852ef6a9d144b4a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9beccb07278ca3466cfb22d146414a54a14eed3b","unresolved":true,"context_lines":[{"line_number":338,"context_line":"keystone_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default(\u0027TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\u0027) }}\""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"# Set these variables to deploy custom certificates"},{"line_number":341,"context_line":"#keystone_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":342,"context_line":"#keystone_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":343,"context_line":"#keystone_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"# Set to true when terminating SSL/TLS at a load balancer"},{"line_number":346,"context_line":"keystone_external_ssl: \"{{ (haproxy_ssl | default(True)) | bool }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"fb1af611_fd583dac","line":343,"range":{"start_line":341,"start_character":0,"end_line":343,"end_character":69},"in_reply_to":"f46ebe4e_8914f653","updated":"2023-04-08 20:15:37.000000000","message":"can we correct the descriptions on those lines to say that a chain needs to be provided in `keystone_user_ssl_cert` - nothing more than that","commit_id":"339dfb2e0e12c9d9f1a034539852ef6a9d144b4a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"7ba4a8b1054385846aa4170159cf8360428e7872","unresolved":true,"context_lines":[{"line_number":338,"context_line":"keystone_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default(\u0027TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\u0027) }}\""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"# Set these variables to deploy custom certificates"},{"line_number":341,"context_line":"#keystone_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":342,"context_line":"#keystone_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":343,"context_line":"#keystone_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host\u003e"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"# Set to true when terminating SSL/TLS at a load balancer"},{"line_number":346,"context_line":"keystone_external_ssl: \"{{ (haproxy_ssl | default(True)) | bool }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"ab3c8ea4_732e34ca","line":343,"range":{"start_line":341,"start_character":0,"end_line":343,"end_character":69},"in_reply_to":"fb1af611_fd583dac","updated":"2023-04-12 18:57:25.000000000","message":"but it\u0027s not entirely true.\n\nbasically you have two ways:\n- define cert + intermediate cert(s) together in ``keystone_user_ssl_cert``\n- define cert in ``keystone_user_ssl_cert`` and intermediate cert(s) in ``keystone_user_ssl_ca_cert``\n\nsecond option is already documented in https://opendev.org/openstack/openstack-ansible-os_keystone/src/commit/a020ff87cde136a5c507b2cdc719d8c1dd85824d/doc/source/configure-keystone.rst?display\u003dsource#L22","commit_id":"339dfb2e0e12c9d9f1a034539852ef6a9d144b4a"}]}
