Description of problem: "/tls-everywhere-endpoints-dns.yaml" is setting Octavia endpoints to IP_ADDRESS which does not make sense since the IDM signed certificates cannot have an IP SAN entry to verify the certificate. (cloud) [stack@director deployment]$ openstack endpoint list | egrep -i octavia | 48250fe5373048e7bb11152bee2da6b3 | regionOne | octavia | load-balancer | True | admin | https://192.168.204.17:9876 | | 565be13b3a814f89b2b764cbb98648da | regionOne | octavia | load-balancer | True | public | https://cloud.lab.diktio.net:13876 | | 711f215615a843068e749bf2d4b27776 | regionOne | octavia | load-balancer | True | internal | https://192.168.204.17:9876 | (cloud) [stack@director deployment]$ (cloud) [stack@director deployment]$ egrep -i octavia /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} (cloud) [stack@director deployment]$ [root@cloud-controller-0 ~]# curl https://192.168.204.17:9876 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. [root@cloud-controller-0 ~]# Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Configure TLS everywhere with Octavia enabled. 2. 3. Actual results: Expected results: Additional info: Bug upstream: https://bugs.launchpad.net/tripleo/+bug/1822035 Fix upstream: https://review.openstack.org/648321
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0939