Bug 1572278 - After undercloud ssl certificate is updated, ca-trust is not updated automatically
Summary: After undercloud ssl certificate is updated, ca-trust is not updated automati...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Linux
Target Milestone: beta
: 13.0 (Queens)
Assignee: RHOS Maint
QA Contact: Pavan
Depends On: 1547248 1595876
Blocks: 1572280 1572282
TreeView+ depends on / blocked
Reported: 2018-04-26 15:15 UTC by Harry Rybacki
Modified: 2021-03-11 17:20 UTC (History)
15 users (show)

Fixed In Version: puppet-tripleo-8.3.2-4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1547248
: 1572280 1595876 (view as bug list)
Last Closed: 2018-06-27 13:53:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1753948 0 None None None 2018-04-26 15:15:53 UTC
OpenStack gerrit 553311 0 None MERGED Extract local CA if it expired 2020-09-24 14:23:25 UTC
Red Hat Knowledge Base (Solution) 3357871 0 None None None 2018-04-26 15:15:53 UTC
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:55:07 UTC

Comment 3 Harry Rybacki 2018-04-26 15:51:34 UTC
Upstream review located in openstack-tripleo-8.3.2. Updating fixed-in and moving bug to MODIFIED.

Comment 7 Scott Lewis 2018-04-30 14:59:49 UTC
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd

Comment 13 Juan Antonio Osorio 2018-06-25 16:25:29 UTC
So, certmonger should update the local CA certificate when at least one of these two things happen:

* when certmonger is restarted
* when a certificate is requested for that CA

so, the thing to verify would be that, when the certificate expires, you should restart certmonger, and then run the undercloud install again. That should update the trust of that certificate.

Comment 14 Rob Crittenden 2018-06-25 19:04:36 UTC
The execution doesn't happen in a shell. This should be put into a script (bash, python, whatever) in /usr/libexec/<something>/<something> and set that as the post command.

You can define arguments to be passed in when setting the post-callback command.

For example:

/usr/libexec/director/renew_cert /etc/pki/tls/certs/undercloud-front.crt  /etc/pki/tls/private/undercloud-front.key /etc/pki/tls/certs/undercloud-

Comment 16 errata-xmlrpc 2018-06-27 13:53:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.