OpenStack (Newton) enable SSL

This post shows how to switch Horizon to HTTPS.
Before start you should have working OpenStack Horizon through HTTP.
My setup:
OS: CentOS 7.3
OpenStack: Newton

Changes on controller

Install mod_ssl for HTTPD:

yum -y install mod_ssl

Upload your certificate files:

/etc/pki/tls/certs/khmel.org.pem
/etc/pki/tls/private/privat.key

Uncomment these lines in /etc/openstack-dashboard/local_settings

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
ssl_only = true
cert = /etc/pki/tls/certs/khmel.org.pem
key = /etc/pki/tls/private/privat.key

File /etc/httpd/conf.d/openstack-dashboard.conf should look like this:

WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
<VirtualHost *:80>
  ServerName cloud.khmel.org
  RedirectPermanent /dashboard https://cloud.khmel.org/dashboard
</VirtualHost>
<VirtualHost *:443>
  ServerName cloud.khmel.org
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/khmel.org.pem
  SSLCertificateKeyFile /etc/pki/tls/private/privat.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  Header add Strict-Transport-Security "max-age=15768000"
  WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
  Alias /dashboard/static /usr/share/openstack-dashboard/static
  <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
  <Directory /usr/share/openstack-dashboard/static>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Reboot controller node.

Changes on compute nodes

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
novncproxy_base_url=https://cloud.khmel.org:6080/vnc_auto.html

Reboot compute nodes

4 thoughts on “OpenStack (Newton) enable SSL

  1. controller of the universe

    Hi, do I need to copy the certificates to all the compute nodes as well? Thanks mate, cheers!

    Reply
      1. controller of the universe

        As for the key needed, is it the server.’s private key (.key) or my own CA’s key (.pem)? Thanks mate!

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *