Bug 1255909

Summary: SSL certificates error while installing RHEL-OSP with director
Product: Red Hat OpenStack Reporter: SHAILESH PILARE <shailesh.pilare>
Component: instack-undercloudAssignee: Ben Nemec <bnemec>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: ayoung, hbrock, jcoufal, mburns, nkinder, racedoro, rhel-osp-director-maint, rscarazz, yeylon
Target Milestone: gaKeywords: TestOnly, Triaged
Target Release: 8.0 (Liberty)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:39:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description SHAILESH PILARE 2015-08-21 20:44:40 UTC 
Description of problem:
Error while installation Red Hat Enterprise Linux OpenStack Platform via following underlying document 

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html


Version-Release number of selected component (if applicable):
7.0

How reproducible:
Issue the following command by following above document 
openstack undercloud install

Steps to Reproduce:
1.
2.
3.

Actual results:
ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1
Expected results:
Should get success status .



Additional info:
Warning: Permanently added '192.0.2.1' (ECDSA) to the list of known hosts.
The following cert files already exist, use --rebuild to remove the existing files before regenerating:
                                                                                                       /etc/keystone/ssl/certs/ca.pem already exists
                                                                                                                                                    /etc/keystone/ssl/private/signing_key.pem already exists
                                               /etc/keystone/ssl/certs/signing_cert.pem already exists
                                                                                                      Connection to 192.0.2.1 closed.
PKI initialization in init-keystone is deprecated and will be removed.
+ openstack role show ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Could not determine a suitable URL for the plugin
+ openstack role create ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Could not determine a suitable URL for the plugin
[2015-08-21 22:33:20,266] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1]

[2015-08-21 22:33:20,266] (os-refresh-config) [ERROR] Aborting...
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command
    raise RuntimeError('%s failed. See log for details.', name)
RuntimeError: ('%s failed. See log for details.', 'os-refresh-config')
ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1
Comment 3 Ramon Acedo 2015-09-12 18:28:36 UTC 
I hit this issue and the workaround for now is to comment in undercloud.conf this:

# undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem

The official documentation suggests you can set up SSL:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html

But if you set it as described you hit this issue.

I tried disabling SElinux but the issue remained so I worked it around by commenting undercloud_service_certificate
Comment 4 Nathan Kinder 2015-09-25 20:14:48 UTC 
This seems like it's filed against the wrong component, as this isn't realyl a Keystone issue.  Moving to instack-undercloud.
Comment 5 Jamie Lennox 2015-09-27 23:52:54 UTC 
It seems like auth_token middleware isn't configured with a CA certificate that allows it to query the root keystone URL to determine versions. I'll have to look into making that error more explicit however it seems like a bad configuration.
Comment 7 Jaromir Coufal 2015-11-30 12:02:49 UTC 
I believe this should be fixed with SSL work for undercloud/overcloud in next release.
Comment 8 Ben Nemec 2016-01-05 17:45:38 UTC 
Okay, I think there's some confusion here.  The initial bug report is not an SSL error.  The messages about ssl certificates are normal and not a problem.  The actual issue is that the "openstack role show ResellerAdmin" command is failing, and as far as I can tell there's no SSL involved there (in 7.0 you would be seeing the SSL certificate warnings when it connected to keystone, and since those are not present I don't believe it ever got to that point).

If ssl was enabled, then it sounds like stackrc was not generated correctly.  This _may_ happen if the undercloud is installed without ssl and then reinstalled with ssl.  To my knowledge that will not work in 7.0 anyway for a number of reasons, so I doubt we can fix it at this point.

In any case, to say for sure that's what is going on I would need to see undercloud.conf and /root/stackrc from the system.  ~/.instack/install-undercloud.log would probably be good too.

Note that in 8 we won't be using stackrc to inject self-signed CA certs.  We're going to just install them to the undercloud pki infrastructure so there are no special client configuration steps needed.
Comment 9 Marius Cornea 2016-02-16 18:21:53 UTC 
I tested this on OSP-d 7.3. I generated the certificate according to the docs[1] and set the undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem in undercloud.conf

openstack undercloud install finished successfuly.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/appe-SSL_Certificate_Configuration.html
Comment 10 Raoul Scarazzini 2016-03-01 18:06:18 UTC 
You may hit this error but as Ben wrote on https://bugzilla.redhat.com/show_bug.cgi?id=1255909#c8 this does not involve SSL.
Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1301185 you may find out that it is sufficient to restart haproxy as a workaround.
Comment 12 errata-xmlrpc 2016-04-07 21:39:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0604.html