Bug 1666379 - /etc/pki/ca-trust/source/anchors/cm-local-ca.pem has wrong permissions after undercloud installation
Summary: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem has wrong permissions after ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M3
: 15.0 (Stein)
Assignee: RHOS Maint
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks: 1667447 1667450
TreeView+ depends on / blocked
 
Reported: 2019-01-15 16:36 UTC by Marius Cornea
Modified: 2023-09-14 04:45 UTC (History)
14 users (show)

Fixed In Version: puppet-tripleo-10.4.2-0.20190502220347.02cd12e.el8ost.noarch.rpm
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1667447 (view as bug list)
Environment:
Last Closed: 2019-09-21 11:19:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1788257 0 None None None 2019-01-16 12:46:27 UTC
OpenStack gerrit 631210 0 'None' MERGED Explicitly set certmonger's CA cert's permissions 2021-02-04 13:07:23 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:20:16 UTC

Description Marius Cornea 2019-01-15 16:36:39 UTC 
Description of problem:

(undercloud) [stack@undercloud-0 ~]$ openstack stack list
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Checking the permissions for the CA certificate set in OS_CACERT:
(undercloud) [stack@undercloud-0 ~]$ grep OS_CACERT stackrc 
export OS_CACERT="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
(undercloud) [stack@undercloud-0 ~]$ ls -l /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
-rw-------. 1 root root 1587 Jan 11 16:05 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

After setting read permissions the openstack command returned successfully:

(undercloud) [stack@undercloud-0 ~]$ sudo chmod o+r /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
(undercloud) [stack@undercloud-0 ~]$ openstack stack list



Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-10.2.1-0.20190111152159.64fa74e.fc28.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy undercloud
2. source stackrc
3. Run 'openstack stack list'

Actual results:
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Expected results:
No faiure

Additional info:
Comment 9 Harry Rybacki 2019-02-06 16:19:09 UTC 
Updated the wrong clone of the RHBZ -- moving back to POST.
Comment 15 errata-xmlrpc 2019-09-21 11:19:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811
Comment 16 Red Hat Bugzilla 2023-09-14 04:45:06 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.