Created attachment 1060968 [details] install-undercloud log Description of problem: Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1.Create a self signed CA 2.Add the CA to the trust store 3.Create a service certificate signed by the CA 4.copy the cert pem file to "/etc/pki/instack-certs" 5.configure the parameter "undercloud_service_certificate" in undercloud.conf pointing to the cer pem file 6. run "openstack undercloud install" Actual results: the installation fails with the following error: "ERROR: openstack SSL exception connecting to https://10.10.10.3:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" Expected results: successful installation Additional info: The issue doesn't happen when using self signed certificates.
During the installation, the file "/root/stackrc" is created with the OS_CACERT variable, which points to the service certificate provided in undercloud.conf. This makes the ssl libraries of the openstack clients to validate the service certificate against itself, which ends in a validate failure (as the certificate is signed by a CA) The contents of the stackrc file: [stack@ospd ~]$ sudo cat /root/stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://10.10.10.3:13000/v2.0 export OS_CACERT=/etc/pki/instack-certs/undercloud_chain.pem export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_NO_CACHE=True As an example, sourcing that file and issuing a "keystone endpoint-list" ends in a SSL certificate validation error: [stack@ospd ~]$ keystone endpoint-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Authorization Failed: SSL exception connecting to https://10.10.10.3:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed And, after removing the OS_CACERT variable it works perfectly: [stack@ospd ~]$ unset OS_CACERT [stack@ospd ~]$ keystone endpoint-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning +----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+ | ff37770b0ca940bb8f43ff10cf7b23b6 | regionOne | https://10.10.10.3:13000/v2.0 | http://10.10.10.1:5000/v2.0 | http://10.10.10.1:35357/v2.0 | f3ad044115d84bc9b1d844284c65ce1d | +----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+ [stack@ospd ~]$
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
Note that we're no longer using OS_CACERT in OSP 8+, so this is probably fixed. I don't have a good way to test it though.
I tested this on an OSP10 deployment and the undercloud installation completed ok. Here is the resulting stackrc file: [stack@undercloud-0 ~]$ cat stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://192.168.0.2:13000/v2.0 export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_BAREMETAL_API_VERSION=1.15 export OS_NO_CACHE=True export OS_CLOUDNAME=undercloud export OS_IMAGE_API_VERSION=1
Marius, thanks for checking it out. But yeah, as Marius confirmed, it seems to me that this issue has been addressed already then.
Closing this out as NEXTRELEASE since this has been confirmed to no longer be a problem in Newton/OSP10.
Nathan, why NEXTRELEASE if the fix merged upstream and will be included in OSP10? That's what Marius confirmed; he tested out the patch fixing this.