Bug 1666379 - /etc/pki/ca-trust/source/anchors/cm-local-ca.pem has wrong permissions after undercloud installation [NEEDINFO]
Summary: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem has wrong permissions after ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M3
: 15.0 (Stein)
Assignee: RHOS Maint
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks: 1667447 1667450
TreeView+ depends on / blocked
 
Reported: 2019-01-15 16:36 UTC by Marius Cornea
Modified: 2019-09-26 10:47 UTC (History)
14 users (show)

Fixed In Version: puppet-tripleo-10.4.2-0.20190502220347.02cd12e.el8ost.noarch.rpm
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1667447 (view as bug list)
Environment:
Last Closed: 2019-09-21 11:19:56 UTC
Target Upstream Version:
gregraka: needinfo? (rhos-maint)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1788257 0 None None None 2019-01-16 12:46:27 UTC
OpenStack gerrit 631210 0 'None' MERGED Explicitly set certmonger's CA cert's permissions 2021-02-04 13:07:23 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:20:16 UTC

Description Marius Cornea 2019-01-15 16:36:39 UTC
Description of problem:

(undercloud) [stack@undercloud-0 ~]$ openstack stack list
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Checking the permissions for the CA certificate set in OS_CACERT:
(undercloud) [stack@undercloud-0 ~]$ grep OS_CACERT stackrc 
export OS_CACERT="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
(undercloud) [stack@undercloud-0 ~]$ ls -l /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
-rw-------. 1 root root 1587 Jan 11 16:05 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

After setting read permissions the openstack command returned successfully:

(undercloud) [stack@undercloud-0 ~]$ sudo chmod o+r /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
(undercloud) [stack@undercloud-0 ~]$ openstack stack list



Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-10.2.1-0.20190111152159.64fa74e.fc28.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy undercloud
2. source stackrc
3. Run 'openstack stack list'

Actual results:
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Expected results:
No faiure

Additional info:

Comment 9 Harry Rybacki 2019-02-06 16:19:09 UTC
Updated the wrong clone of the RHBZ -- moving back to POST.

Comment 15 errata-xmlrpc 2019-09-21 11:19:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811


Note You need to log in before you can comment on or make changes to this bug.