Bug 1666379

Summary: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem has wrong permissions after undercloud installation
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 15.0 (Stein)CC: dbecker, emacchi, hrybacki, jjoyce, josorior, jschluet, mburns, michele, morazi, pkesavar, rhos-maint, rmascena, slinaber, tvignaud
Target Milestone: Upstream M3Keywords: Triaged
Target Release: 15.0 (Stein)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-10.4.2-0.20190502220347.02cd12e.el8ost.noarch.rpm Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1667447 (view as bug list) Environment:
Last Closed: 2019-09-21 11:19:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1667447, 1667450    

Description Marius Cornea 2019-01-15 16:36:39 UTC 
Description of problem:

(undercloud) [stack@undercloud-0 ~]$ openstack stack list
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Checking the permissions for the CA certificate set in OS_CACERT:
(undercloud) [stack@undercloud-0 ~]$ grep OS_CACERT stackrc 
export OS_CACERT="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
(undercloud) [stack@undercloud-0 ~]$ ls -l /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
-rw-------. 1 root root 1587 Jan 11 16:05 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

After setting read permissions the openstack command returned successfully:

(undercloud) [stack@undercloud-0 ~]$ sudo chmod o+r /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
(undercloud) [stack@undercloud-0 ~]$ openstack stack list



Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-10.2.1-0.20190111152159.64fa74e.fc28.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy undercloud
2. source stackrc
3. Run 'openstack stack list'

Actual results:
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Expected results:
No faiure

Additional info:
Comment 9 Harry Rybacki 2019-02-06 16:19:09 UTC 
Updated the wrong clone of the RHBZ -- moving back to POST.
Comment 15 errata-xmlrpc 2019-09-21 11:19:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811
Comment 16 Red Hat Bugzilla 2023-09-14 04:45:06 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days