Hide Forgot
Created attachment 1137018 [details] undercloud install stdout Description of problem: openstack undercloud install fails. Version-Release number of selected component (if applicable): python-rdomanager-oscplugin-0.0.10-28.el7ost.noarch How reproducible: every Steps to Reproduce: 1. openstack undercloud install 2. 3. Actual results: The following cert files already exist, use --rebuild to remove the existing files before regenerating: /etc/keystone/ssl/certs/ca.pem already exists /etc/keystone/ssl/private/signing_key.pem already exists /etc/keystone/ssl/certs/signing_cert.pem already exists Connection to 10.3.3.1 closed. PKI initialization in init-keystone is deprecated and will be removed. + openstack role show ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Unable to establish connection to https://10.3.3.2:13000/v2.0/tokens + openstack role create ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Unable to establish connection to https://10.3.3.2:13000/v2.0/tokens [2016-03-15 12:51:20,711] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1] [2016-03-15 12:51:20,712] (os-refresh-config) [ERROR] Aborting... Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install _run_orc(instack_env) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc _run_live_command(args, instack_env, 'os-refresh-config') File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command raise RuntimeError('%s failed. See log for details.', name) RuntimeError: ('%s failed. See log for details.', 'os-refresh-config') ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1 Expected results: success! Additional info:
I note a similarity between this case and: BZ 1242660, "[Docs] [Director] Undercloud deployment with SSL fails over SELinux enforcing ( ssl cert needs to be readable by haproxy.) <https://bugzilla.redhat.com/show_bug.cgi?id=1242660>
This is a documentation bug in section Appendix B of the Director Install & Config guide. In that section it states the following under the "For the Undercloud" section: $ openssl genrsa -out privkey.pem 2048 $ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365 -config ~/openssl.cnf and $ cat cacert.pem privkey.pem > undercloud.pem This is misleading. Anyone familiar with CA root certificates will think that they are supposed to cat the CA root cert with the server private key, which makes no sense. Please change this to the following: $ openssl genrsa -out server-key.pem 2048 $ openssl req -new -x509 -key server-key.pem -out server-cert.pem -days 3650 -config ~/openssl.cnf and $ cat server-cert.pem server-key.pem > undercloud.pem (NB: I changed the number of days to 3650, 10 years.)
Hi Dan, The fix should be implemented: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration Any further changes required for this section?
+1 lgtm