Bug 1324138

Summary: [backport] Unable to renew overcloud SSL certificate
Product: Red Hat OpenStack Reporter: Jaromir Coufal <jcoufal>
Component: rhosp-directorAssignee: Angus Thomas <athomas>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: achernet, bnemec, dbecker, dcadzow, gchenuet, hbrock, josorior, jslagle, kbasil, mburns, mcornea, morazi, rhel-osp-director-maint
Target Milestone: asyncKeywords: FeatureBackport
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-0.8.6-125.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1321588 Environment:
Last Closed: 2016-07-06 15:06:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1321588    
Bug Blocks:    

Description Jaromir Coufal 2016-04-05 15:27:47 UTC 
+++ This bug was initially created as a clone of Bug #1321588 +++

Description of problem:
Redeploying the overcloud with a new SSL certificate/key fails.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:


Steps to Reproduce:
1. Generate initial set of selfsigned certificate/key and use them for deployment.

2. Generate a new set of certificate/key, update the enable-tls.yaml and inject-trust-anchor.yaml files and rerun the overcloud deploy.

Actual results:
Update fails with the following error:

Mar 28 14:09:36 overcloud-controller-0.localdomain os-collect-config[3878]: Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: SSL exception connecting to https://172.16.23.10:13000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Expected results:
Update succeeds.

Additional info:
The failed command is run before the haproxy configuration including the new certificate is loaded. The certificate validation fails because haproxy loads the old certificate while the trusted store has already been update with the new certificate.

--- Additional comment from Marius Cornea on 2016-03-28 11:25:23 EDT ---

Please note that updating a not expired certificate works when using a root ca certificate in the inject-trust-anchor.yaml but I suspect it doesn't work when udpating an expired certificate.

--- Additional comment from Juan Antonio Osorio on 2016-03-29 10:54:43 EDT ---

Marius, from what I see it indeed won't work when updating. And this is because of a limitation with the tripleo loadbalancer module. Seems that this issue occurs because haproxy is not restarted when there's an update of the certificate; or actually, it's just not restarted at all by the module. So it will still be serving the old certificate.
Comment 3 Marius Cornea 2016-06-28 15:13:23 UTC 
Verified on latest build: openstack-tripleo-heat-templates-0.8.6-127.el7ost.noarch
Comment 5 errata-xmlrpc 2016-07-06 15:06:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1387