OpenStack (Newton) enable SSL

This post shows how to switch Horizon to HTTPS.
Before start you should have working OpenStack Horizon through HTTP.
My setup:
OS: CentOS 7.3
OpenStack: Newton

Changes on controller

Install mod_ssl for HTTPD:

yum -y install mod_ssl

Upload your certificate files:

/etc/pki/tls/certs/khmel.org.pem
/etc/pki/tls/private/privat.key

Uncomment these lines in /etc/openstack-dashboard/local_settings

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
ssl_only = true
cert = /etc/pki/tls/certs/khmel.org.pem
key = /etc/pki/tls/private/privat.key

File /etc/httpd/conf.d/openstack-dashboard.conf should look like this:

WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
<VirtualHost *:80>
  ServerName cloud.khmel.org
  RedirectPermanent /dashboard https://cloud.khmel.org/dashboard
</VirtualHost>
<VirtualHost *:443>
  ServerName cloud.khmel.org
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/khmel.org.pem
  SSLCertificateKeyFile /etc/pki/tls/private/privat.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  Header add Strict-Transport-Security "max-age=15768000"
  WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
  Alias /dashboard/static /usr/share/openstack-dashboard/static
  <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
  <Directory /usr/share/openstack-dashboard/static>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Reboot controller node.

Changes on compute nodes

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
novncproxy_base_url=https://cloud.khmel.org:6080/vnc_auto.html

Reboot compute nodes

3 thoughts on “OpenStack (Newton) enable SSL

  1. controller of the universe

    Hi, do I need to copy the certificates to all the compute nodes as well? Thanks mate, cheers!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *