Bug 1380928

Summary: Renewing overcloud SSL certificate fails
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: openstack-tripleo-heat-templatesAssignee: Jiri Stransky <jstransk>
Status: CLOSED ERRATA QA Contact: Arik Chernetsky <achernet>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dbecker, josorior, jschluet, kbasil, mburns, morazi, nkinder, rhel-osp-director-maint
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20161008015357.0d3e3e3.1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:07:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Cornea 2016-10-01 16:32:51 UTC 
Description of problem:
Renewing overcloud SSL certificate fails

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy SSL enabled overcloud
2. Regenerate SSL certificate/key and update the undercloud system store
3. Deploy overcloud with updated certificate and key

Actual results:
Deployment finishes but certificate validation fails when calling keystone api:

SSL exception connecting to https://172.16.18.25:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
The keystone api succeeds as the undercloud certificate store has been updated with the new certificate. 

Additional info:
After doing pcs resource restart haproxy on one of the controller the connection is successful so it seems we're missing a haproxy reload step when the certificate is updated.
Comment 1 Juan Antonio Osorio 2016-10-03 17:08:23 UTC 
I talked to Marius about this. Seems to be a regression since we used to restart the pacemaker services every time, and we no longer have this behavior, which is what we relied on for fetching the new certificate. I'm working on a fix.
Comment 3 Juan Antonio Osorio 2016-10-11 07:04:59 UTC 
The fix for this merged upstream even for newton.
Comment 9 errata-xmlrpc 2016-12-14 16:07:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html