Description of problem: RHOSP 10 cloud with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED. After updating the ca-trust, the commands begin working again. Version-Release number of selected component (if applicable): How reproducible: Seen in 2 different customer environments that were deployed about 1 prior to this. Steps to Reproduce: 1. Install undercloud with 'generate_service_certificate = true' 2. Wait for the ssl cert to expire and renew automatically 3. Source stackrc and run any openstack command Actual results: ERROR (SSLError): SSL exception connecting to https://<undercloudip>:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Expected results: Command returns normally Additional info: Able to get this working by running: $ sudo openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/undercloud-ca.pem -nokeys -nodes -passin pass:"" $ sudo update-ca-trust extract
According to our records, this should be resolved by puppet-tripleo-9.3.1-0.20181010034754.157eaab.el7ost. This build is available now.
I've also hit this during an OSP 13 z4 -> z8 upgrade.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days