Bug 1321588

Summary: Unable to renew overcloud SSL certificate
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: rhosp-directorAssignee: Ben Nemec <bnemec>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: dbecker, gchenuet, hbrock, josorior, jslagle, kbasil, mburns, morazi, rhel-osp-director-maint
Target Milestone: ga   
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-0.8.14-6.el7ost Doc Type: Bug Fix
Doc Text:
Cause: HAProxy configuration was not reloaded after replacing the installed certificate, which meant the old certificate would continue to be used incorrectly. Consequence: If the certificate had expired, subsequent OpenStack calls would fail even though the new certificate had been installed. Fix: HAProxy configuration is now reloaded after certificates are installed. Result: Update of expired certificates works as expected.
 Story Points: ---
Clone Of:
: 1324138 (view as bug list) Environment:
Last Closed: 2016-04-15 14:31:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1324138    

Description Marius Cornea 2016-03-28 14:15:15 UTC 
Description of problem:
Redeploying the overcloud with a new SSL certificate/key fails.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:


Steps to Reproduce:
1. Generate initial set of selfsigned certificate/key and use them for deployment.

2. Generate a new set of certificate/key, update the enable-tls.yaml and inject-trust-anchor.yaml files and rerun the overcloud deploy.

Actual results:
Update fails with the following error:

Mar 28 14:09:36 overcloud-controller-0.localdomain os-collect-config[3878]: Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: SSL exception connecting to https://172.16.23.10:13000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Expected results:
Update succeeds.

Additional info:
The failed command is run before the haproxy configuration including the new certificate is loaded. The certificate validation fails because haproxy loads the old certificate while the trusted store has already been update with the new certificate.
Comment 1 Marius Cornea 2016-03-28 15:25:23 UTC 
Please note that updating a not expired certificate works when using a root ca certificate in the inject-trust-anchor.yaml but I suspect it doesn't work when udpating an expired certificate.
Comment 2 Juan Antonio Osorio 2016-03-29 14:54:43 UTC 
Marius, from what I see it indeed won't work when updating. And this is because of a limitation with the tripleo loadbalancer module. Seems that this issue occurs because haproxy is not restarted when there's an update of the certificate; or actually, it's just not restarted at all by the module. So it will still be serving the old certificate.
Comment 6 errata-xmlrpc 2016-04-15 14:31:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0637.html