Bug 1547248 - After undercloud ssl certificate is updated, ca-trust is not updated automatically
Summary: After undercloud ssl certificate is updated, ca-trust is not updated automati...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: z3
: 14.0 (Rocky)
Assignee: RHOS Maint
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On: 1609025
Blocks: 1572278 1572280 1572282
TreeView+ depends on / blocked
 
Reported: 2018-02-20 20:38 UTC by nalmond
Modified: 2023-09-15 00:06 UTC (History)
25 users (show)

Fixed In Version: puppet-tripleo-9.1.1-0.20180702230221.1d836c2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1572278 (view as bug list)
Environment:
Last Closed: 2020-01-24 12:18:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1753948 0 None None None 2018-03-07 08:52:29 UTC
OpenStack gerrit 550403 0 'None' MERGED Extract local CA if it expired 2021-02-08 20:45:11 UTC
Red Hat Issue Tracker OSP-1283 0 None None None 2021-12-10 15:59:03 UTC
Red Hat Knowledge Base (Solution) 3357871 0 None None None 2018-02-20 20:39:34 UTC

Description nalmond 2018-02-20 20:38:20 UTC
Description of problem:
RHOSP 10 cloud with ssl-enabled undercloud has been running for about a year. The ssl cert expired and was renewed automatically with certmonger. Openstack commands run on the undercloud (stackrc sourced) are returning CERTIFICATE_VERIFY_FAILED. After updating the ca-trust, the commands begin working again.

Version-Release number of selected component (if applicable):

How reproducible:
Seen in 2 different customer environments that were deployed about 1 prior to this.

Steps to Reproduce:
1. Install undercloud with 'generate_service_certificate = true'
2. Wait for the ssl cert to expire and renew automatically
3. Source stackrc and run any openstack command

Actual results:
ERROR (SSLError): SSL exception connecting to https://<undercloudip>:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
Command returns normally

Additional info:
Able to get this working by running:

$ sudo openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/undercloud-ca.pem -nokeys -nodes -passin pass:""
$ sudo update-ca-trust extract

Comment 23 Lon Hohberger 2019-01-15 19:35:19 UTC
According to our records, this should be resolved by puppet-tripleo-9.3.1-0.20181010034754.157eaab.el7ost.  This build is available now.

Comment 32 Christopher Brown 2019-10-15 13:43:16 UTC
I've also hit this during an OSP 13 z4 -> z8 upgrade.

Comment 35 Red Hat Bugzilla 2023-09-15 00:06:34 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.