Description of problem: Renewing overcloud SSL certificate fails Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy SSL enabled overcloud 2. Regenerate SSL certificate/key and update the undercloud system store 3. Deploy overcloud with updated certificate and key Actual results: Deployment finishes but certificate validation fails when calling keystone api: SSL exception connecting to https://172.16.18.25:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Expected results: The keystone api succeeds as the undercloud certificate store has been updated with the new certificate. Additional info: After doing pcs resource restart haproxy on one of the controller the connection is successful so it seems we're missing a haproxy reload step when the certificate is updated.
I talked to Marius about this. Seems to be a regression since we used to restart the pacemaker services every time, and we no longer have this behavior, which is what we relied on for fetching the new certificate. I'm working on a fix.
The fix for this merged upstream even for newton.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html