Bug 1321588 - Unable to renew overcloud SSL certificate
Summary: Unable to renew overcloud SSL certificate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ga
: 8.0 (Liberty)
Assignee: Ben Nemec
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks: 1324138
TreeView+ depends on / blocked
 
Reported: 2016-03-28 14:15 UTC by Marius Cornea
Modified: 2016-04-15 14:31 UTC (History)
9 users (show)

Fixed In Version: openstack-tripleo-heat-templates-0.8.14-6.el7ost
Doc Type: Bug Fix
Doc Text:
Cause: HAProxy configuration was not reloaded after replacing the installed certificate, which meant the old certificate would continue to be used incorrectly. Consequence: If the certificate had expired, subsequent OpenStack calls would fail even though the new certificate had been installed. Fix: HAProxy configuration is now reloaded after certificates are installed. Result: Update of expired certificates works as expected.
Clone Of:
: 1324138 (view as bug list)
Environment:
Last Closed: 2016-04-15 14:31:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 300224 0 None MERGED Restart haproxy after configuring SSL certs 2020-12-01 06:50:32 UTC
OpenStack gerrit 300902 0 None MERGED Restart haproxy after configuring SSL certs 2020-12-01 06:50:34 UTC
Red Hat Product Errata RHBA-2016:0637 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 8 director release candidate Bug Fix Advisory 2016-04-15 18:28:05 UTC

Description Marius Cornea 2016-03-28 14:15:15 UTC 
Description of problem:
Redeploying the overcloud with a new SSL certificate/key fails.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:


Steps to Reproduce:
1. Generate initial set of selfsigned certificate/key and use them for deployment.

2. Generate a new set of certificate/key, update the enable-tls.yaml and inject-trust-anchor.yaml files and rerun the overcloud deploy.

Actual results:
Update fails with the following error:

Mar 28 14:09:36 overcloud-controller-0.localdomain os-collect-config[3878]: Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: SSL exception connecting to https://172.16.23.10:13000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Expected results:
Update succeeds.

Additional info:
The failed command is run before the haproxy configuration including the new certificate is loaded. The certificate validation fails because haproxy loads the old certificate while the trusted store has already been update with the new certificate.
Comment 1 Marius Cornea 2016-03-28 15:25:23 UTC 
Please note that updating a not expired certificate works when using a root ca certificate in the inject-trust-anchor.yaml but I suspect it doesn't work when udpating an expired certificate.
Comment 2 Juan Antonio Osorio 2016-03-29 14:54:43 UTC 
Marius, from what I see it indeed won't work when updating. And this is because of a limitation with the tripleo loadbalancer module. Seems that this issue occurs because haproxy is not restarted when there's an update of the certificate; or actually, it's just not restarted at all by the module. So it will still be serving the old certificate.
Comment 6 errata-xmlrpc 2016-04-15 14:31:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0637.html
Note You need to log in before you can comment on or make changes to this bug.