Description of problem: Error while installation Red Hat Enterprise Linux OpenStack Platform via following underlying document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html Version-Release number of selected component (if applicable): 7.0 How reproducible: Issue the following command by following above document openstack undercloud install Steps to Reproduce: 1. 2. 3. Actual results: ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1 Expected results: Should get success status . Additional info: Warning: Permanently added '192.0.2.1' (ECDSA) to the list of known hosts. The following cert files already exist, use --rebuild to remove the existing files before regenerating: /etc/keystone/ssl/certs/ca.pem already exists /etc/keystone/ssl/private/signing_key.pem already exists /etc/keystone/ssl/certs/signing_cert.pem already exists Connection to 192.0.2.1 closed. PKI initialization in init-keystone is deprecated and will be removed. + openstack role show ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Could not determine a suitable URL for the plugin + openstack role create ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Could not determine a suitable URL for the plugin [2015-08-21 22:33:20,266] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1] [2015-08-21 22:33:20,266] (os-refresh-config) [ERROR] Aborting... Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install _run_orc(instack_env) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc _run_live_command(args, instack_env, 'os-refresh-config') File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command raise RuntimeError('%s failed. See log for details.', name) RuntimeError: ('%s failed. See log for details.', 'os-refresh-config') ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1
I hit this issue and the workaround for now is to comment in undercloud.conf this: # undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem The official documentation suggests you can set up SSL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html But if you set it as described you hit this issue. I tried disabling SElinux but the issue remained so I worked it around by commenting undercloud_service_certificate
This seems like it's filed against the wrong component, as this isn't realyl a Keystone issue. Moving to instack-undercloud.
It seems like auth_token middleware isn't configured with a CA certificate that allows it to query the root keystone URL to determine versions. I'll have to look into making that error more explicit however it seems like a bad configuration.
I believe this should be fixed with SSL work for undercloud/overcloud in next release.
Okay, I think there's some confusion here. The initial bug report is not an SSL error. The messages about ssl certificates are normal and not a problem. The actual issue is that the "openstack role show ResellerAdmin" command is failing, and as far as I can tell there's no SSL involved there (in 7.0 you would be seeing the SSL certificate warnings when it connected to keystone, and since those are not present I don't believe it ever got to that point). If ssl was enabled, then it sounds like stackrc was not generated correctly. This _may_ happen if the undercloud is installed without ssl and then reinstalled with ssl. To my knowledge that will not work in 7.0 anyway for a number of reasons, so I doubt we can fix it at this point. In any case, to say for sure that's what is going on I would need to see undercloud.conf and /root/stackrc from the system. ~/.instack/install-undercloud.log would probably be good too. Note that in 8 we won't be using stackrc to inject self-signed CA certs. We're going to just install them to the undercloud pki infrastructure so there are no special client configuration steps needed.
I tested this on OSP-d 7.3. I generated the certificate according to the docs[1] and set the undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem in undercloud.conf openstack undercloud install finished successfuly. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/appe-SSL_Certificate_Configuration.html
You may hit this error but as Ben wrote on https://bugzilla.redhat.com/show_bug.cgi?id=1255909#c8 this does not involve SSL. Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1301185 you may find out that it is sufficient to restart haproxy as a workaround.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0604.html