Description of problem:
RHOSP 10 cloud with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED. After updating the ca-trust, the commands begin working again.
Version-Release number of selected component (if applicable):
Seen in 2 different customer environments that were deployed about 1 prior to this.
Steps to Reproduce:
1. Install undercloud with 'generate_service_certificate = true'
2. Wait for the ssl cert to expire and renew automatically
3. Source stackrc and run any openstack command
ERROR (SSLError): SSL exception connecting to https://<undercloudip>:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Command returns normally
Able to get this working by running:
$ sudo openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/undercloud-ca.pem -nokeys -nodes -passin pass:""
$ sudo update-ca-trust extract
According to our records, this should be resolved by puppet-tripleo-9.3.1-0.20181010034754.157eaab.el7ost. This build is available now.
I've also hit this during an OSP 13 z4 -> z8 upgrade.