Bug 1608395 - RFE: TLS-Everywhere - public certificates issued by IdM doesn't create public API DNS entry
Summary: RFE: TLS-Everywhere - public certificates issued by IdM doesn't create public...
Keywords:
Status: CLOSED DUPLICATE of bug 1823932
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-certmonger
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Juan Antonio Osorio
QA Contact: Pavan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-25 12:47 UTC by Federico Iezzi
Modified: 2020-06-25 16:59 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-25 16:59:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Federico Iezzi 2018-07-25 12:47:15 UTC 
Description of problem:

As by BZ title, during the certificate generation process/host registration/etc one last step is missing: create a DNS entry having public API record.

Version-Release number of selected component (if applicable):
OSP13 z1 (tested version)

How reproducible:
 - Install IdM
 - Install undercloud enabling novajoin
 - Install overcloud and include the following templates

    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \


Actual results:
dig @172.16.0.2 overcloud.redhat.local

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @172.16.0.2 overcloud.redhat.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23607
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;overcloud.redhat.local.                IN      A

;; AUTHORITY SECTION:
redhat.local.           3600    IN      SOA     freeipa.redhat.local. hostmaster.redhat.local. 1532522733 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Wed Jul 25 08:45:53 EDT 2018
;; MSG SIZE  rcvd: 106

Expected results:
dig @172.16.0.2 overcloud.redhat.local

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @172.16.0.2 overcloud.redhat.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2039
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;overcloud.redhat.local.                IN      A

;; ANSWER SECTION:
overcloud.redhat.local. 86400   IN      A       192.168.122.150

;; AUTHORITY SECTION:
redhat.local.           86400   IN      NS      freeipa.redhat.local.

;; ADDITIONAL SECTION:
freeipa.redhat.local.   1200    IN      A       172.16.0.2

;; Query time: 1 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Wed Jul 25 08:46:06 EDT 2018
;; MSG SIZE  rcvd: 105
Comment 1 Harry Rybacki 2018-09-06 15:01:59 UTC 
Re-aligning to RFE and requesting ACKs.
Comment 2 Nathan Kinder 2020-06-25 16:59:19 UTC 
This is addressed in the Ansible-based re-implementation of TLS-everywhere as described in bug#1823932.  Closing as a duplicate.

*** This bug has been marked as a duplicate of bug 1823932 ***
Note You need to log in before you can comment on or make changes to this bug.