Bug 1324138 - [backport] Unable to renew overcloud SSL certificate
Summary: [backport] Unable to renew overcloud SSL certificate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: async
: 7.0 (Kilo)
Assignee: Angus Thomas
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On: 1321588
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-05 15:27 UTC by Jaromir Coufal
Modified: 2019-02-17 12:23 UTC (History)
13 users (show)

Fixed In Version: openstack-tripleo-heat-templates-0.8.6-125.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of: 1321588
Environment:
Last Closed: 2016-07-06 15:06:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 300224 0 None None None 2016-04-05 15:27:47 UTC
OpenStack gerrit 300902 0 None None None 2016-04-05 15:27:47 UTC
Red Hat Product Errata RHBA-2016:1387 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2016-07-06 19:04:38 UTC

Description Jaromir Coufal 2016-04-05 15:27:47 UTC 
+++ This bug was initially created as a clone of Bug #1321588 +++

Description of problem:
Redeploying the overcloud with a new SSL certificate/key fails.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:


Steps to Reproduce:
1. Generate initial set of selfsigned certificate/key and use them for deployment.

2. Generate a new set of certificate/key, update the enable-tls.yaml and inject-trust-anchor.yaml files and rerun the overcloud deploy.

Actual results:
Update fails with the following error:

Mar 28 14:09:36 overcloud-controller-0.localdomain os-collect-config[3878]: Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: SSL exception connecting to https://172.16.23.10:13000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Expected results:
Update succeeds.

Additional info:
The failed command is run before the haproxy configuration including the new certificate is loaded. The certificate validation fails because haproxy loads the old certificate while the trusted store has already been update with the new certificate.

--- Additional comment from Marius Cornea on 2016-03-28 11:25:23 EDT ---

Please note that updating a not expired certificate works when using a root ca certificate in the inject-trust-anchor.yaml but I suspect it doesn't work when udpating an expired certificate.

--- Additional comment from Juan Antonio Osorio on 2016-03-29 10:54:43 EDT ---

Marius, from what I see it indeed won't work when updating. And this is because of a limitation with the tripleo loadbalancer module. Seems that this issue occurs because haproxy is not restarted when there's an update of the certificate; or actually, it's just not restarted at all by the module. So it will still be serving the old certificate.
Comment 3 Marius Cornea 2016-06-28 15:13:23 UTC 
Verified on latest build: openstack-tripleo-heat-templates-0.8.6-127.el7ost.noarch
Comment 5 errata-xmlrpc 2016-07-06 15:06:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1387
Note You need to log in before you can comment on or make changes to this bug.