Bug 1607800 - [UPGRADES][14] UndercloudPostDeployment failed: bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate' certificate verify failed')
Summary: [UPGRADES][14] UndercloudPostDeployment failed: bad handshake: Error([('SSL r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: beta
: 14.0 (Rocky)
Assignee: Jose Luis Franco
QA Contact: Yurii Prokulevych
URL:
Whiteboard:
Depends On:
Blocks: 1712551
TreeView+ depends on / blocked
 
Reported: 2018-07-24 09:55 UTC by Yurii Prokulevych
Modified: 2022-02-15 07:15 UTC (History)
10 users (show)

Fixed In Version: openstack-tripleo-heat-templates-9.0.0-0.20180919080946.0rc1.0rc1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1712551 (view as bug list)
Environment:
Last Closed: 2019-01-11 11:50:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 585328 0 'None' MERGED Add upgrade_tasks for HAproxy 2021-01-01 07:00:10 UTC
Red Hat Issue Tracker OSP-12669 0 None None None 2022-02-15 07:15:06 UTC
Red Hat Issue Tracker UPG-4998 0 None None None 2022-02-15 07:15:21 UTC
Red Hat Product Errata RHEA-2019:0045 0 None None None 2019-01-11 11:51:03 UTC

Description Yurii Prokulevych 2018-07-24 09:55:23 UTC
Description of problem:
-----------------------
Upgrade of RHOS-13 undercloud to containerized RHOS-14 undercloud failed:

openstack undercloud upgrade -y --use-heat
...
                "++ export CLOUDPROMPT_ENABLED=1",
                "++ CLOUDPROMPT_ENABLED=1",
                "+ '[' '!' -f /home/stack/.ssh/authorized_keys ']'",
                "+ '[' '!' -f /home/stack/.ssh/id_rsa ']'",
                "++ cat /home/stack/.ssh/id_rsa.pub",
                "+ grep 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoilfFFTGFASMZXm8pOuj3W7TmDltehxTcPRXEdOnkh7RMUKU0gNEaNvdR4VPjVk6BIZ9XHaCxvLxGryYbED2s8iCXl0rYGe9qPM1E1WE0ZUL00BL3gmFOVozvr5Denf+Stb9cZXxHsaOBWOi5R+GRu
IwjmLmNlGZcvkfV4R4bA8y2lNifxi0LBoY65vvWSymL5ZxptxzBPEZpoDk+/3tavx55dZ8L8ibbMIILl8RhS7eqj0VTtP4Z591w61x/Q7nOufCcSXuyY76KvGz1xaLG9h0CpLKbc1k8/9bGEmBABOIbvuajiKKN/a/vv0XewwyehhjtcKssoJSbOoXa/wskQ==' /home/stack/.ss
h/authorized_keys",
                "+ chown -R stack:stack /home/stack/.ssh",
                "++ hiera nova_api_enabled",
                "+ '[' true = true ']'",
                "++ openstack project show admin",
                "++ awk '$2==\"id\" {print $4}'",
                "+ openstack quota set --cores -1 --instances -1 --ram -1 dcc36d7c2ccf4ab8b469492b24c84165",
                "SSL exception connecting to https://192.168.24.2:13774/v2.1/os-quota-sets/dcc36d7c2ccf4ab8b469492b24c84165: (\"bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate 
verify failed')],)\",)",
                "",
                "[2018-07-24 05:39:54,279] (heat-config) [ERROR] Error running /var/lib/heat-config/heat-config-script/88a2dd32-e2d0-498b-806d-9bec43ba9c9b. [1]",
                "",
                "",
                "[2018-07-24 05:39:54,283] (heat-config) [INFO] Completed /usr/libexec/heat-config/hooks/script",
                "[2018-07-24 05:39:54,283] (heat-config) [DEBUG] Running heat-config-notify /var/lib/heat-config/deployed/88a2dd32-e2d0-498b-806d-9bec43ba9c9b.json < /var/lib/heat-config/deployed/88a2dd32-e2d0-4
98b-806d-9bec43ba9c9b.notify.json",
                "[2018-07-24 05:39:54,894] (heat-config) [INFO] ",
                "[2018-07-24 05:39:54,894] (heat-config) [DEBUG] "
            ]
        },
        {
            "status_code": "1"
        }
    ]
}



Version-Release number of selected component (if applicable):
-------------------------------------------------------------
openstack-tripleo-common-containers-9.1.1-0.20180710151736.8e8dabd.el7ost.noarch
openstack-tripleo-heat-templates-9.0.0-0.20180710202746.d2994ca.el7ost.noarch
python-tripleoclient-heat-installer-10.2.1-0.20180709114814.e5ce9a8.el7ost.noarch
python-tripleoclient-10.2.1-0.20180709114814.e5ce9a8.el7ost.noarch


How reproducible:
-----------------
100%

Steps to Reproduce:
-------------------
1. Deploy RHOS-13 undercloud with SSL
2. Setup RHOS-14 repos
3. Upgrade openstack-tripleo-common-containers and generate container-images for RHOS-14 uc
4. Upgrade python-tripleoclient
5. Start undercloud upgrade:
    openstack undercloud upgrade -y --use-heat

Comment 2 Juan Antonio Osorio 2018-07-24 10:22:05 UTC
what's the output of:

openssl s_client -connect 192.168.24.2:13774

Comment 3 Yurii Prokulevych 2018-07-24 11:08:55 UTC
[stack@undercloud-0 ~ ] $ openssl s_client -connect 192.168.24.2:13774
CONNECTED(00000003)
depth=1 CN = Local Signing Authority, CN = 2b8bd999-02514113-9a56ff86-874336f9
verify return:1
depth=0 CN = 192.168.24.2
verify return:1
---
Certificate chain
 0 s:/CN=192.168.24.2
   i:/CN=Local Signing Authority/CN=2b8bd999-02514113-9a56ff86-874336f9
 1 s:/CN=Local Signing Authority/CN=2b8bd999-02514113-9a56ff86-874336f9
   i:/CN=Local Signing Authority/CN=2b8bd999-02514113-9a56ff86-874336f9
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIQK4vZmQJRQROaVv+Gh0M2+jANBgkqhkiG9w0BAQsFADBQ
MSAwHgYDVQQDDBdMb2NhbCBTaWduaW5nIEF1dGhvcml0eTEsMCoGA1UEAwwjMmI4
YmQ5OTktMDI1MTQxMTMtOWE1NmZmODYtODc0MzM2ZjkwHhcNMTgwNzI0MDkzMDI2
WhcNMTkwNzI0MDkzMDI0WjAXMRUwEwYDVQQDEwwxOTIuMTY4LjI0LjIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKQcEn+rVPt6m/mGWQECQovXKIzi+n
E+BZHklfks6AvbKUpIz5xRA3FYlXYRIPdSIt5qgTAmJKgoJZQnuvjPH8g5nYx9s6
r6R31Q+c+ZRFa2b7LPvL3qFQMrFN5Swp7NA6Vg7DgMQn+X+ynPome9MyEy2b17I1
LJpxOY3GlPSjzg1NZ21jdZy5AhZEjWc5WlMbbWwNMiyf2XZ2X0qKO5HZx+G75YGl
wEyd4Xsyggi+gTbduC/XNw8otiHS+9Fr41PcIyKv786TmFRtWIozh0lkL2dIPb7F
jWVxB3cXz0ivokWKhFrx7AkAjpsVsHVYWTI7/X3/ynpHzdcZCWDBVDvlAgMBAAGj
gYowgYcwEgYDVR0RAQEABAgwBocEwKgYAjAgBgNVHSUBAQAEFjAUBggrBgEFBQcD
AgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU6An4N2gDFQrQ
EZeoHVQRjqplZo0wHwYDVR0jBBgwFoAUuiqHqPSdagrCHTSJ8EMx3oDp8+0wDQYJ
KoZIhvcNAQELBQADggEBACKCzlvuXQPBOTFcYO72d9i3LqYwRFKZSQL8bqy+LYMk
glK5j/5tVwvGH2NZ5L44lGmkKn5V0HYxqU5WAT3nzy1QbdA1HMxjsekJFnx0oCJw
8Xm7DQZAQaNgWtgt4Wr86bUyDOWt3ZQTvG/OSECSDGzPLBxn/4TFgGHibbo3oDUJ
GeAOyLSmhgUmfrFluK0lUfdahKbsQFXgw8X5lFz8zYXY5bJwB3PsURFe4m2WN9AM
RbxPTIf93yoD81HLhcrviocffkpyhLTSowAxGcc3A+22ygGuse6XQfdUAZopUim0
/V3NG2RHM6Z5qLqtEfTS/Ha+Ok/EnIjx9nwg9HOtE1E=
-----END CERTIFICATE-----
subject=/CN=192.168.24.2
issuer=/CN=Local Signing Authority/CN=2b8bd999-02514113-9a56ff86-874336f9
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2471 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 85DDCE66CA8F47D35EC5BE1C808EC977C5519509C574467CF9A4F7E3DA235B07
    Session-ID-ctx: 
    Master-Key: 248F1CFBA212491855D2AB09492711530672A0F1A6DE89837EFF8C462D4B610E80505EED33B99EA785F9C90C3B112941
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6b 3f 19 88 aa 9c c6 90-35 a8 87 fe a6 78 ff 4a   k?......5....x.J
    0010 - e4 21 65 18 be c4 c4 06-63 99 e9 76 fe 41 e6 ca   .!e.....c..v.A..
    0020 - 9a 0a fd ce 73 ef 59 eb-a8 5e 38 d8 c0 17 72 2e   ....s.Y..^8...r.
    0030 - 6c b7 d4 45 a6 0e 9a bf-1e 74 67 ff 82 4a 1c c9   l..E.....tg..J..
    0040 - 58 c6 9a f6 19 1e 53 41-8b 87 f6 69 88 0e e8 8a   X.....SA...i....
    0050 - 59 30 6f 06 8b 99 8f 00-c0 fd df a1 8d 30 0a da   Y0o..........0..
    0060 - 1a 5e eb 20 f0 50 ff 70-c6 f7 e1 06 2b 38 bd 1e   .^. .P.p....+8..
    0070 - 79 cb de da f2 ec c4 7b-80 37 ab 43 55 17 d4 ad   y......{.7.CU...
    0080 - d0 cb 6f 93 a5 40 66 5e-20 5b 80 a5 41 b9 ce 69   ..o..@f^ [..A..i
    0090 - 9c 28 ca c8 3c 6e b3 b7-0d a1 14 db 88 b2 2d 51   .(..<n........-Q

    Start Time: 1532430389
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
/HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed

Comment 14 errata-xmlrpc 2019-01-11 11:50:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045


Note You need to log in before you can comment on or make changes to this bug.