Hide Forgot
an easy way to verify neutron is to run the following command: openssl s_client -connect <neutron internal API FQDN>:<neutron internal port> If this succeeds neutron is running over HTTPS. Also, neutron does not run over httpd, so I had to put a TLS proxy in front of it. We don't want to run TLS with eventlet (or in python for that matter). So, what you will notice is that the actual neutron server is actually listening on localhost and that there will be an httpd vhost that's listening in front. This is why you don't see TLS related options in the configuration or anything in the logs. The neutron server isn't necessarily aware that it's behind a TLS proxy.
VERIFIED openstack-tripleo-common-7.6.3-0.20171028055750.el7ost.noarch openstack-tripleo-heat-templates-7.0.3-0.20171024200823.el7ost.noarch puppet-tripleo-7.4.3-0.20171025110206.el7ost.noarch https://github.com/openstack/tripleo-heat-templates/blob/master/environments/tls-everywhere-endpoints-dns.yaml#L56 [heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:9696 CONNECTED(00000003) depth=1 O = REDHAT.LOCAL, CN = Certificate Authority verify return:1 depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local verify return:1 --- Certificate chain 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local i:/O=REDHAT.LOCAL/CN=Certificate Authority 1 s:/O=REDHAT.LOCAL/CN=Certificate Authority i:/O=REDHAT.LOCAL/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFJTCCBA2gAwIBAgIBHTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx MDcxOTA4MDZaFw0xOTExMDgxOTA4MDZaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUotEG xCGtsmEyA+xsCb+UnEufmTvVYujYTqswXGFrCOlH35ZH/wKIr5qP5OqGHDpBZr2d NLT++cAp05AuBfaoQdpXtCoFQWhWMunnszsoxAEjMryHGiGcmN0f3r9jKhOU89qy JpDMTosBMTY8he3c4ofewi3woGpwHfNkx3DRTIBCS4VCRXdM4JgppqO9zh0vT6bl +A059Lu1ckdjigfwFMR+4qpE9l8NiBHFGA5aVYSFMy8TScqutx1OESySwX8aqfGy fwYXZtL9sfghAh56sdy/fouWnt38LNs6eK55BnOI3UvTvjy1XJqyE9/QgSiSiDaH iNn7bm+6ehxPeFW9AgMBAAGjggIgMIICHDAfBgNVHSMEGDAWgBQPfJSB8YWjzBFv yjDBPMLDQgTDDDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHQYDVR0OBBYEFFJ1rWHv72Grz9WdCOiC+KcnaLW8MIHxBgNVHREEgekwgeaC L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs oFEGCisGAQQBgjcUAgOgQwxBSFRUUC9vdmVyY2xvdWQtY29udHJvbGxlci0wLmlu dGVybmFsYXBpLnJlZGhhdC5sb2NhbEBSRURIQVQuTE9DQUygYAYGKwYBBQICoFYw VKAOGwxSRURIQVQuTE9DQUyhQjBAoAMCAQGhOTA3GwRIVFRQGy9vdmVyY2xvdWQt Y29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2NhbDANBgkqhkiG9w0B AQsFAAOCAQEAPJB24Q8OVm2snhla+T/n9L/qJYO9YBbd3AnDH4hSoo+FSSZqrGcd osANlcICy1k0nUsi7oe08DRuJwU2vc1KAshYq2UJXEvHdAbNigfFYX/CTBSxzv7/ yUg17dewdi65X8J1ZvfCQI9xFB+XvrwrptM6TVNYKR5YH+At9GJFT1OAJNjNq438 7xQlXOTogcg2bVxGWSi4j+wHdDcrXJQapI8RoAe/mhHOkcWMwZ0rlZIC7zLekm06 kTrfvwK6/HIC1r59xgZMzSDHWIXiVrV2HGH9QOHLQi3acUGWfz8JKjlBOJh4BKkc fRnLe1vCD57ZClZSJVhgBAmGgSvaDU7MDQ== -----END CERTIFICATE----- subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local issuer=/O=REDHAT.LOCAL/CN=Certificate Authority --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2929 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 5196D614D8E57D53CB2DBC50F6DE26C97D7F0486465011611E10157393342A0C Session-ID-ctx: Master-Key: 3787D2B88D2C3B8160C5AE154E4F3E6C02703DDA66CF17E80AA4A118C5D06F71C7F941B69905D70241A85F41A0D15285 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c6 96 d3 dd 94 56 13 cb-65 6e dd 82 bd e4 67 e0 .....V..en....g. 0010 - 41 25 12 2f 24 61 e4 32-0a 83 05 ac df a7 4a c7 A%./$a.2......J. 0020 - 2a ea 35 a7 09 98 94 5a-27 c8 91 db 9c f1 8d 80 *.5....Z'....... 0030 - 6a d4 b4 5e 94 0b e9 9a-6d df 6b 00 8d 94 bb d1 j..^....m.k..... 0040 - 89 dd 32 5f 0c bb 15 8e-77 42 d3 0c d8 6a 43 4a ..2_....wB...jCJ 0050 - d9 0e ff 63 c4 bb 96 5c-80 99 e7 13 2c a0 64 09 ...c...\....,.d. 0060 - fe 2d 37 bf 06 95 71 be-c6 d5 d6 f9 b5 a7 3b c2 .-7...q.......;. 0070 - b8 33 ce ed de 5a a5 20-9d 4b c7 73 b3 c3 96 88 .3...Z. .K.s.... 0080 - d4 ab fb 86 01 99 28 22-87 dd 40 74 d7 39 51 4b ......("..@t.9QK 0090 - ae 65 73 e6 84 25 59 46-ae 12 ac 6d ab a7 54 33 .es..%YF...m..T3 00a0 - 3a 43 63 4b 0e 78 bb 11-82 0f f0 42 52 10 99 8d :CcK.x.....BR... 00b0 - 38 ab d5 3a fa 85 8e 71-16 cc 0f 3a 87 1d 9c b2 8..:...q...:.... Start Time: 1510141274 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Deployment http://tripleo.org/install/advanced_deployment/ssl.html#tls-everywhere-for-the-overcloud http://etherpad.corp.redhat.com/osp12-internal-SSL-using-freeIPA
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462