Description of problem: Redeploying the overcloud with a new SSL certificate/key fails. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch How reproducible: Steps to Reproduce: 1. Generate initial set of selfsigned certificate/key and use them for deployment. 2. Generate a new set of certificate/key, update the enable-tls.yaml and inject-trust-anchor.yaml files and rerun the overcloud deploy. Actual results: Update fails with the following error: Mar 28 14:09:36 overcloud-controller-0.localdomain os-collect-config[3878]: Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: SSL exception connecting to https://172.16.23.10:13000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765) Expected results: Update succeeds. Additional info: The failed command is run before the haproxy configuration including the new certificate is loaded. The certificate validation fails because haproxy loads the old certificate while the trusted store has already been update with the new certificate.
Please note that updating a not expired certificate works when using a root ca certificate in the inject-trust-anchor.yaml but I suspect it doesn't work when udpating an expired certificate.
Marius, from what I see it indeed won't work when updating. And this is because of a limitation with the tripleo loadbalancer module. Seems that this issue occurs because haproxy is not restarted when there's an update of the certificate; or actually, it's just not restarted at all by the module. So it will still be serving the old certificate.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0637.html