Bug 1380928 - Renewing overcloud SSL certificate fails
Summary: Renewing overcloud SSL certificate fails
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 10.0 (Newton)
Assignee: Jiri Stransky
QA Contact: Arik Chernetsky
Depends On:
TreeView+ depends on / blocked
Reported: 2016-10-01 16:32 UTC by Marius Cornea
Modified: 2016-12-14 16:07 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20161008015357.0d3e3e3.1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-12-14 16:07:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 381374 None None None 2016-10-11 18:33:54 UTC
Launchpad 1629886 None None None 2016-10-03 16:16:01 UTC

Description Marius Cornea 2016-10-01 16:32:51 UTC
Description of problem:
Renewing overcloud SSL certificate fails

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Deploy SSL enabled overcloud
2. Regenerate SSL certificate/key and update the undercloud system store
3. Deploy overcloud with updated certificate and key

Actual results:
Deployment finishes but certificate validation fails when calling keystone api:

SSL exception connecting to [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
The keystone api succeeds as the undercloud certificate store has been updated with the new certificate. 

Additional info:
After doing pcs resource restart haproxy on one of the controller the connection is successful so it seems we're missing a haproxy reload step when the certificate is updated.

Comment 1 Juan Antonio Osorio 2016-10-03 17:08:23 UTC
I talked to Marius about this. Seems to be a regression since we used to restart the pacemaker services every time, and we no longer have this behavior, which is what we relied on for fetching the new certificate. I'm working on a fix.

Comment 3 Juan Antonio Osorio 2016-10-11 07:04:59 UTC
The fix for this merged upstream even for newton.

Comment 9 errata-xmlrpc 2016-12-14 16:07:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.