Bug 1547248 - After undercloud ssl certificate is updated, ca-trust is not updated automatically [NEEDINFO]
Summary: After undercloud ssl certificate is updated, ca-trust is not updated automati...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Linux
Target Milestone: z3
: 14.0 (Rocky)
Assignee: RHOS Maint
QA Contact: Jeremy Agee
Depends On: 1609025
Blocks: 1572278 1572280 1572282
TreeView+ depends on / blocked
Reported: 2018-02-20 20:38 UTC by nalmond
Modified: 2021-12-10 15:59 UTC (History)
25 users (show)

Fixed In Version: puppet-tripleo-9.1.1-0.20180702230221.1d836c2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1572278 (view as bug list)
Last Closed: 2020-01-24 12:18:19 UTC
Target Upstream Version:
ccopello: needinfo? (rhos-maint)
rheslop: needinfo? (rhos-maint)
ltamagno: needinfo? (rhos-maint)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1753948 0 None None None 2018-03-07 08:52:29 UTC
OpenStack gerrit 550403 0 'None' MERGED Extract local CA if it expired 2021-02-08 20:45:11 UTC
Red Hat Issue Tracker OSP-1283 0 None None None 2021-12-10 15:59:03 UTC
Red Hat Knowledge Base (Solution) 3357871 0 None None None 2018-02-20 20:39:34 UTC

Description nalmond 2018-02-20 20:38:20 UTC
Description of problem:
RHOSP 10 cloud with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED. After updating the ca-trust, the commands begin working again.

Version-Release number of selected component (if applicable):

How reproducible:
Seen in 2 different customer environments that were deployed about 1 prior to this.

Steps to Reproduce:
1. Install undercloud with 'generate_service_certificate = true'
2. Wait for the ssl cert to expire and renew automatically
3. Source stackrc and run any openstack command

Actual results:
ERROR (SSLError): SSL exception connecting to https://<undercloudip>:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
Command returns normally

Additional info:
Able to get this working by running:

$ sudo openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/undercloud-ca.pem -nokeys -nodes -passin pass:""
$ sudo update-ca-trust extract

Comment 23 Lon Hohberger 2019-01-15 19:35:19 UTC
According to our records, this should be resolved by puppet-tripleo-9.3.1-0.20181010034754.157eaab.el7ost.  This build is available now.

Comment 32 Christopher Brown 2019-10-15 13:43:16 UTC
I've also hit this during an OSP 13 z4 -> z8 upgrade.

Note You need to log in before you can comment on or make changes to this bug.