Bug 1547248

Summary: After undercloud ssl certificate is updated, ca-trust is not updated automatically
Product: Red Hat OpenStack Reporter: nalmond
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED EOL QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: aschultz, astupnik, augol, ccopello, chris.brown, cory.bannister, ftaylor, hrybacki, jjoyce, josorior, jschluet, ltamagno, mburns, nkinder, pkesavar, rhel-osp-director-maint, rheslop, rhos-maint, schhabdi, sclewis, shrjoshi, slinaber, smykhail, spower, tvignaud
Target Milestone: z3Keywords: TestOnly, Triaged, ZStream
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-tripleo-9.1.1-0.20180702230221.1d836c2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1572278 (view as bug list) Environment:
Last Closed: 2020-01-24 12:18:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1609025    
Bug Blocks: 1572278, 1572280, 1572282    

Description nalmond 2018-02-20 20:38:20 UTC 
Description of problem:
RHOSP 10 cloud with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED. After updating the ca-trust, the commands begin working again.

Version-Release number of selected component (if applicable):

How reproducible:
Seen in 2 different customer environments that were deployed about 1 prior to this.

Steps to Reproduce:
1. Install undercloud with 'generate_service_certificate = true'
2. Wait for the ssl cert to expire and renew automatically
3. Source stackrc and run any openstack command

Actual results:
ERROR (SSLError): SSL exception connecting to https://<undercloudip>:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
Command returns normally

Additional info:
Able to get this working by running:

$ sudo openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/undercloud-ca.pem -nokeys -nodes -passin pass:""
$ sudo update-ca-trust extract
Comment 23 Lon Hohberger 2019-01-15 19:35:19 UTC 
According to our records, this should be resolved by puppet-tripleo-9.3.1-0.20181010034754.157eaab.el7ost.  This build is available now.
Comment 32 Christopher Brown 2019-10-15 13:43:16 UTC 
I've also hit this during an OSP 13 z4 -> z8 upgrade.
Comment 35 Red Hat Bugzilla 2023-09-15 00:06:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days