Description of problem: Ceilometer public API SSL port is not allowed in the undercloud firewall. Version-Release number of selected component (if applicable): instack-undercloud-2.1.2-37.el7ost.noarch How reproducible: 100% Service: metering +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminURL | http://192.0.2.1:8777/ | | id | 2c30baa37bc84927b1933b2cde907769 | | internalURL | http://192.0.2.1:8777/ | | publicURL | https://192.0.2.2:13777/ | | region | regionOne | +-------------+----------------------------------+ stack@instack:~>>> sudo iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination discovery udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0 neutron-openvswi-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8777 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8779 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,13808 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8000,8003,8004,13800,13003,13004 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5672 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6385,13385 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9191 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9292,13292 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6080,13080 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9696,13696 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5000,35357,13000,13357 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8773,8774,8775,13773,13774,13775 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8585 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited To add it: # sudo iptables -I INPUT -p tcp -m tcp --dport 13777 -j ACCEPT
instack-undercloud-2.1.2-39.el7ost.noarch [stack@instack ~]$ sudo iptables -nL INPUT | grep 13777 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8777,13777
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0264.html