Bug 1700403 - Failed obtaining certificate on director / freeipa installation launchpad#1816465
Summary: Failed obtaining certificate on director / freeipa installation launchpad#181...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
urgent
medium
Target Milestone: rc
: 15.0 (Stein)
Assignee: Harry Rybacki
QA Contact: Pavan
URL:
Whiteboard:
Depends On:
Blocks: 1718284 1718286
TreeView+ depends on / blocked
 
Reported: 2019-04-16 13:12 UTC by Eduard Barrera
Modified: 2022-06-06 11:29 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-10.5.1-0.20190606110437.b9992d9.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1718284 (view as bug list)
Environment:
Last Closed: 2019-09-21 11:21:11 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1816465 0 None None None 2019-04-18 14:26:07 UTC
OpenStack gerrit 637584 0 None MERGED Only request neutron certificate from neutron dhcp service 2020-09-23 10:05:12 UTC
Red Hat Issue Tracker OSP-1303 0 None None None 2022-06-06 11:29:44 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:21:35 UTC

Description Eduard Barrera 2019-04-16 13:12:04 UTC 
Description of problem:

Customer trying to do a Director TLS installation is having this issue:

$ openstack stack failures list --long overcloud | grep -A2 -B2 Error
  status: CREATE_FAILED
  status_reason: |
    Error: resources[1]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
  deploy_stdout: |

--
            "Warning: tag is a metaparam; this value will inherit to all contained resources in the tripleo::firewall::rule definition",
            "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I neutron -f /etc/pki/tls/certs/neutron.crt -c IPA -N CN=overcloud8ua-ctrl-1.internalapi.5a4s9.englab.juniper.net -K neutron/overcloud8ua-ctrl-1.internalapi.5a4s9.englab.juniper.net -D overcloud8ua-ctrl-1.internalapi.5a4s9.englab.juniper.net -C \"/usr/bin/certmonger-neutron-dhcpd-refresh.sh\" -w -k /etc/pki/tls/private/neutron.key' returned 2: New signing request \"neutron\" added.",
            "Error: /Stage[main]/Tripleo::Certmonger::Neutron/Certmonger_certificate[neutron]: Could not evaluate: Could not get certificate: Server at https://freeipa.5a4s9.englab.juniper.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=neutron/overcloud8ua-ctrl-1.internalapi.5a4s9.englab.juniper.net.JUNIPER.NET,cn=services,cn=accounts,dc=5a4s9,dc=englab,dc=juniper,dc=net'.).",
            "Warning: /Stage[main]/Tripleo::Certmonger::Neutron/File[/etc/pki/tls/certs/neutron.crt]: Skipping because of failed dependencies",
            "Warning: /Stage[main]/Tripleo::Certmonger::Neutron/File[/etc/pki/tls/private/neutron.key]: Skipping because of failed dependencies",


It seems this upstream bug:

 https://bugs.launchpad.net/tripleo/+bug/1816465

Version-Release number of selected component (if applicable):
OSP13

How reproducible:
Always

Steps to Reproduce:
1. Deploy with TLS everywhere
2.
3.

Actual results:
mentioner error

Expected results:
deployment success

Additional info:
Comment 21 errata-xmlrpc 2019-09-21 11:21:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811
Note You need to log in before you can comment on or make changes to this bug.