Bug 1255909
Summary: | SSL certificates error while installing RHEL-OSP with director | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | SHAILESH PILARE <shailesh.pilare> |
Component: | instack-undercloud | Assignee: | Ben Nemec <bnemec> |
Status: | CLOSED ERRATA | QA Contact: | Marius Cornea <mcornea> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.0 (Kilo) | CC: | ayoung, hbrock, jcoufal, mburns, nkinder, racedoro, rhel-osp-director-maint, rscarazz, yeylon |
Target Milestone: | ga | Keywords: | TestOnly, Triaged |
Target Release: | 8.0 (Liberty) | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-04-07 21:39:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
SHAILESH PILARE
2015-08-21 20:44:40 UTC
I hit this issue and the workaround for now is to comment in undercloud.conf this: # undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem The official documentation suggests you can set up SSL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html But if you set it as described you hit this issue. I tried disabling SElinux but the issue remained so I worked it around by commenting undercloud_service_certificate This seems like it's filed against the wrong component, as this isn't realyl a Keystone issue. Moving to instack-undercloud. It seems like auth_token middleware isn't configured with a CA certificate that allows it to query the root keystone URL to determine versions. I'll have to look into making that error more explicit however it seems like a bad configuration. I believe this should be fixed with SSL work for undercloud/overcloud in next release. Okay, I think there's some confusion here. The initial bug report is not an SSL error. The messages about ssl certificates are normal and not a problem. The actual issue is that the "openstack role show ResellerAdmin" command is failing, and as far as I can tell there's no SSL involved there (in 7.0 you would be seeing the SSL certificate warnings when it connected to keystone, and since those are not present I don't believe it ever got to that point). If ssl was enabled, then it sounds like stackrc was not generated correctly. This _may_ happen if the undercloud is installed without ssl and then reinstalled with ssl. To my knowledge that will not work in 7.0 anyway for a number of reasons, so I doubt we can fix it at this point. In any case, to say for sure that's what is going on I would need to see undercloud.conf and /root/stackrc from the system. ~/.instack/install-undercloud.log would probably be good too. Note that in 8 we won't be using stackrc to inject self-signed CA certs. We're going to just install them to the undercloud pki infrastructure so there are no special client configuration steps needed. I tested this on OSP-d 7.3. I generated the certificate according to the docs[1] and set the undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem in undercloud.conf openstack undercloud install finished successfuly. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/appe-SSL_Certificate_Configuration.html You may hit this error but as Ben wrote on https://bugzilla.redhat.com/show_bug.cgi?id=1255909#c8 this does not involve SSL. Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1301185 you may find out that it is sufficient to restart haproxy as a workaround. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0604.html |