Bug 2193388

Summary: client reports a 501 error from the horizon dashboard on a tls-everywhere deploy
Product: Red Hat OpenStack Reporter: Jeremy Agee <jagee>
Component: puppet-horizonAssignee: Radomir Dopieralski <rdopiera>
Status: ON_DEV --- QA Contact: Ashish Gupta <ashigupt>
Severity: medium Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: ashigupt, chjones, dciabrin, igallagh, jjoyce, jschluet, mciecier, pgrist, rdopiera, rrubins, slinaber, tkajinam, tvignaud
Target Milestone: z1Keywords: Triaged
Target Release: 17.1Flags: rdopiera: needinfo? (jagee)
mciecier: needinfo? (dciabrin)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
The Dashboard service (horizon) is currently configured to validate client TLS certificates by default, which breaks the Dashboard service on all TLS everywhere (TLS-e) deployments. + Workaround: . Add the following configuration to an environment file: + ---- parameter_defaults: ControllerExtraConfig: horizon::ssl_verify_client: none ---- . Add the environment file to the stack with your other environment files and deploy the overcloud: + ---- (undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<environment_file>.yaml ----
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Agee 2023-05-05 13:31:52 UTC
Description of problem:
The client web browser reports a 501 http error when connnecting to the public endpoint of horizon at https://overcloud./dashboard.

How reproducible:
every time

Steps to Reproduce:
1. deploy the overcloud with tls everywhere

Actual results:
client browser reports a 501 http error

Expected results:
client browser can connect to the dashboard


Additional info:
The controllers have client verification required with the line:
SSLVerifyClient         require

in the horizon pod config. 
/var/lib/config-data/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf

Comment 1 Radomir Dopieralski 2023-05-09 11:06:37 UTC
puppet-horizon has the ssl_verify_client defaults to undef, see https://github.com/openstack/puppet-horizon/blob/master/manifests/init.pp#L618

So you must be setting it to "require" when calling puppet-horizon somewhere. How are you calling it? That's where the problem will be.