Some OpenStack services can provide SSL native. There is great reading how to enable SSL for Keystone.
However some services either does not provide native SSL or have some bug (e.g. Neutron in Icehouse), which prevent you to enable SSL. But there is way how to enable SSL on those services using haproxy
.
First move Neutron to different port. Make sure that /etc/neutron/neutron.conf
contains:
[DEFAULT]
use_ssl = False
bind_port = 8696
Then install haproxy
:
yum install haproxy
And make sure /etc/haproxy/haproxy.cfg contains:
frontend neutron
bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined
default_backend neutron
backend neutron
server neutron 127.0.0.1:8696 check
Where file /etc/haproxy/fed-cloud09.combined
contains concatenated both CA certificate and certificate key
cat /etc/pki/tls/certs/fed-cloud09-keystone.pem /etc/pki/tls/private/fed-cloud09.key > /etc/haproxy/fed-cloud09.combined
Then just secure that file:
chown haproxy /etc/haproxy/haproxy.cfg
chmod 640 /etc/haproxy/haproxy.cfg
And restart and enable the services:
openstack-service restart
chkconfig haproxy on
service haproxy start
And you are done.
Benefit of this approach is that you can manage your SSL certificates on one place.
Kudos goes to Lars Kellogg-Stedman for showing me this thing.