Bug 1701426
| Summary: | [OSP-14] TLS for Manila Internal services | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Goutham Pacha Ravi <gouthamr> | |
| Component: | puppet-manila | Assignee: | Goutham Pacha Ravi <gouthamr> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jason Grosso <jgrosso> | |
| Severity: | medium | Docs Contact: | Laura Marsh <lmarsh> | |
| Priority: | medium | |||
| Version: | 14.0 (Rocky) | CC: | gcharot, jjoyce, jschluet, rheslop, slinaber, tbarron, tvignaud, vimartin | |
| Target Milestone: | z3 | Keywords: | FeatureBackport, TestOnly, Triaged, ZStream | |
| Target Release: | 14.0 (Rocky) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | puppet-manila-13.3.2-0.20190420081603.f969ee6.el7ost | Doc Type: | Enhancement | |
| Doc Text: |
Prior to this release, the communication between hapoxy and the Shared File Systems service (Manila) API was not secured when deployed with TLS everywhere. Support has been added for the Manila API to configured with SSL certificates, allowing TLS on the internal API network. This feature is now automatically configured when TLS everywhere is enabled.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1701427 (view as bug list) | Environment: | ||
| Last Closed: | 2019-07-22 10:42:53 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1701427 | |||
|
Description
Goutham Pacha Ravi
2019-04-18 23:25:52 UTC
This change has merged upstream. It is ready to be imported downstream. According to our records, this should be resolved by puppet-manila-13.3.2-0.20190420081603.f969ee6.el7ost. This build is available now. Tested on 14z3 (overcloud) [stack@undercloud-0 ~]$ rpm -qa | grep puppet-manila puppet-manila-13.3.2-0.20190420081603.f969ee6.el7ost.noarch stack@undercloud-0 ~]$ source stackrc (undercloud) [stack@undercloud-0 ~]$ openstack endpoint list +----------------------------------+-----------+------------------+-------------------------+---------+-----------+--------------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+------------------+-------------------------+---------+-----------+--------------------------------------------------+ | 0e35af7f080745739d6ae93bffbe1491 | regionOne | swift | object-store | True | public | https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s | | 148405c8bf7d47dab2d9c022cb73be60 | regionOne | keystone | identity | True | internal | http://192.168.24.3:5000 | | 1a6f1d4c6e5b40c1b0bfdf7f02326ef3 | regionOne | ironic | baremetal | True | admin | http://192.168.24.3:6385 | | 2748e5ef2f6e4b4e8d3575c762e2034c | regionOne | glance | image | True | internal | http://192.168.24.3:9292 | | 27b3649ac3ba4b75a993d85da742914f | regionOne | glance | image | True | public | https://192.168.24.2:13292 | | 355f1990c64c48ad999252d79d2f02e5 | regionOne | nova | compute | True | internal | http://192.168.24.3:8774/v2.1 | | 3852951ff4c047f780f346cab0baf9f4 | regionOne | zaqar-websocket | messaging-websocket | True | public | wss://192.168.24.2:9000 | | 40e90a16280641dd8a341e9cdc580004 | regionOne | heat | orchestration | True | internal | http://192.168.24.3:8004/v1/%(tenant_id)s | | 45907c6e6687457aa3972b9d8ca2a8a2 | regionOne | heat-cfn | cloudformation | True | public | https://192.168.24.2:13005/v1 | | 489584a4e89b49efadcaa73fff9cb0dd | regionOne | placement | placement | True | internal | http://192.168.24.3:8778/placement | | 5d0e6f5a0a8744a980ac6881f49fe46b | regionOne | zaqar | messaging | True | internal | http://192.168.24.3:8888 | | 674f734115904bcc943e08041646b46e | regionOne | zaqar | messaging | True | admin | http://192.168.24.3:8888 | | 6910adad30864939850fb97af6a0e927 | regionOne | swift | object-store | True | admin | http://192.168.24.3:8080 | | 6c72e11630a94467946fc2e23650829a | regionOne | ironic | baremetal | True | internal | http://192.168.24.3:6385 | | 6e6788b03fab4576ae958e7461847428 | regionOne | zaqar | messaging | True | public | https://192.168.24.2:13888 | | 736dd40f4d9447ae84c2f54ffa9a2fb4 | regionOne | zaqar-websocket | messaging-websocket | True | admin | ws://192.168.24.3:9000 | | 7a611d38caa7432689351e22c0a4c13f | regionOne | ironic-inspector | baremetal-introspection | True | admin | http://192.168.24.3:5050 | | 7ead7264a19947759ed0ce02ae0a2dd8 | regionOne | placement | placement | True | public | https://192.168.24.2:13778/placement | | 8331b99bef964fba81113da3e940574f | regionOne | neutron | network | True | internal | http://192.168.24.3:9696 | | 8d204801ea214e9880fe0cd4427d7bb1 | regionOne | nova | compute | True | public | https://192.168.24.2:13774/v2.1 | | 9e88d97494fe4f2db2a3b1fadb57a762 | regionOne | zaqar-websocket | messaging-websocket | True | internal | ws://192.168.24.3:9000 | | 9eb748b187ef41d58e6880078039e85f | regionOne | swift | object-store | True | internal | http://192.168.24.3:8080/v1/AUTH_%(tenant_id)s | | a58a56d7b3bc4c64a24bf9ed7d3476da | regionOne | heat-cfn | cloudformation | True | admin | http://192.168.24.3:8000/v1 | | ab1155c714a84598ad8273730030cbf5 | regionOne | glance | image | True | admin | http://192.168.24.3:9292 | | ba16d7ddb8a1463fb31265aa575c5795 | regionOne | neutron | network | True | public | https://192.168.24.2:13696 | | bf15b55815974eb2ab4762de0720a48f | regionOne | keystone | identity | True | public | https://192.168.24.2:13000 | | c1f40325e3224696a9f38b7f10507c3d | regionOne | ironic-inspector | baremetal-introspection | True | internal | http://192.168.24.3:5050 | | c5aec0de9b3f410fa2df2833e117d494 | regionOne | neutron | network | True | admin | http://192.168.24.3:9696 | | caa73b40873d40d1baeacc98ca4765c3 | regionOne | heat | orchestration | True | public | https://192.168.24.2:13004/v1/%(tenant_id)s | | ccaeec2f17f24322922af09e625f67d2 | regionOne | nova | compute | True | admin | http://192.168.24.3:8774/v2.1 | | d1a5e7b2d2d94691b55a833e6d7891e3 | regionOne | ironic-inspector | baremetal-introspection | True | public | https://192.168.24.2:13050 | | d530c96010c54fd89be50d574df0ba5b | regionOne | mistral | workflowv2 | True | public | https://192.168.24.2:13989/v2 | | d89b59479d80454ba96fc2edac4caa11 | regionOne | keystone | identity | True | admin | http://192.168.24.3:35357 | | e801764b1e6c43a2b43bd81d4c55fc20 | regionOne | mistral | workflowv2 | True | admin | http://192.168.24.3:8989/v2 | | e8a583bfac6f4bb49a7e47ab6ff9bccb | regionOne | placement | placement | True | admin | http://192.168.24.3:8778/placement | | eb2aafe065474299b1b70baa16cb544a | regionOne | mistral | workflowv2 | True | internal | http://192.168.24.3:8989/v2 | | eff89459e50c498d8b6067d619d55277 | regionOne | ironic | baremetal | True | public | https://192.168.24.2:13385 | | f075bd92b28b405288dbf947816bfd85 | regionOne | heat-cfn | cloudformation | True | internal | http://192.168.24.3:8000/v1 | | fde6a66f1b234f958ab0892387cf5536 | regionOne | heat | orchestration | True | admin | http://192.168.24.3:8004/v1/%(tenant_id)s | +----------------------------------+-----------+------------------+-------------------------+---------+-----------+--------------------------------------------------+ (undercloud) [stack@undercloud-0 ~]$ source overcloudrc (overcloud) [stack@undercloud-0 ~]$ openstack endpoint list +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------------------+ | 006194f3346544f8a51e8208ca32552b | regionOne | neutron | network | True | internal | https://overcloud.internalapi.redhat.local:9696 | | 023b2faf451446d69ba998405b136139 | regionOne | glance | image | True | public | https://overcloud.redhat.local:13292 | | 0452fc3d60f44dd4aa6ffa7a5ac01b83 | regionOne | heat | orchestration | True | admin | https://overcloud.internalapi.redhat.local:8004/v1/%(tenant_id)s | | 10b96db7a792486096f1f6270a68c0cf | regionOne | manilav2 | sharev2 | True | admin | https://overcloud.internalapi.redhat.local:8786/v2/%(tenant_id)s | | 1349cff27c8949dc807759e103f54f23 | regionOne | keystone | identity | True | public | https://overcloud.redhat.local:13000 | | 14a6580469ed4e48ad009502dc26bf1c | regionOne | manila | share | True | public | https://overcloud.redhat.local:13786/v1/%(tenant_id)s | | 1ff6fec4ffef4cab86821786baee1981 | regionOne | neutron | network | True | public | https://overcloud.redhat.local:13696 | | 2188d4de71a9429f93734e18b01799c7 | regionOne | placement | placement | True | internal | https://overcloud.internalapi.redhat.local:8778/placement | | 25fe251e8fdd4244946d85cb26c71112 | regionOne | panko | event | True | admin | https://overcloud.internalapi.redhat.local:8977 | | 28841ff0e4e24ddda8a0ed52a98188c2 | regionOne | gnocchi | metric | True | internal | https://overcloud.internalapi.redhat.local:8041 | | 33557497506040eb90341e5194305f64 | regionOne | manilav2 | sharev2 | True | internal | https://overcloud.internalapi.redhat.local:8786/v2/%(tenant_id)s | | 3391bd2d8e434df1ad66131197d21d7f | regionOne | cinderv3 | volumev3 | True | internal | https://overcloud.internalapi.redhat.local:8776/v3/%(tenant_id)s | | 3cf8c7a1127146bea55f54489ede96f7 | regionOne | glance | image | True | admin | https://overcloud.internalapi.redhat.local:9292 | | 483a6b69e357434cb69e0d86b2a7d109 | regionOne | swift | object-store | True | public | https://overcloud.redhat.local:13808/v1/AUTH_%(tenant_id)s | | 4f93933feda54918b89e753251b63841 | regionOne | gnocchi | metric | True | public | https://overcloud.redhat.local:13041 | | 4fffab10743a418f87ca6d70f1e35867 | regionOne | manila | share | True | internal | https://overcloud.internalapi.redhat.local:8786/v1/%(tenant_id)s | | 51d83185115c4e5a880f8c88532c814a | regionOne | heat | orchestration | True | internal | https://overcloud.internalapi.redhat.local:8004/v1/%(tenant_id)s | | 5720698131fc4243b1a96dc637f96baa | regionOne | nova | compute | True | public | https://overcloud.redhat.local:13774/v2.1 | | 592ac835276d44c18e161b16a7a6223a | regionOne | panko | event | True | internal | https://overcloud.internalapi.redhat.local:8977 | | 5ab17713f54f40fa84a0ea6611d0e98b | regionOne | placement | placement | True | admin | https://overcloud.internalapi.redhat.local:8778/placement | | 5cbd8ef7d7bb4be1b30e1bc96fa52ca9 | regionOne | keystone | identity | True | admin | https://overcloud.ctlplane.redhat.local:35357 | | 5ff6b069fbee4564a7e3cc30c1bc83bb | regionOne | aodh | alarming | True | admin | https://overcloud.internalapi.redhat.local:8042 | | 61f33ebbacdd460d8ffd042762b3aa18 | regionOne | manilav2 | sharev2 | True | public | https://overcloud.redhat.local:13786/v2/%(tenant_id)s | | 67bc9f65e0c047bdb290a93912ddfe0d | regionOne | placement | placement | True | public | https://overcloud.redhat.local:13778/placement | | 6dddc5e462644e97a7f94b18bc9f8eae | regionOne | aodh | alarming | True | internal | https://overcloud.internalapi.redhat.local:8042 | | 71efff7f4f994ed7b0fbd779dc76d926 | regionOne | cinderv2 | volumev2 | True | internal | https://overcloud.internalapi.redhat.local:8776/v2/%(tenant_id)s | | 756ca5db99e242f784366749fea7d9a1 | regionOne | heat-cfn | cloudformation | True | admin | https://overcloud.internalapi.redhat.local:8000/v1 | | 7a3cd5450964420ebd063d7cdb3ecb77 | regionOne | nova | compute | True | internal | https://overcloud.internalapi.redhat.local:8774/v2.1 | | 7f03f257320f4d2bb6e3efcf759070df | regionOne | cinderv2 | volumev2 | True | admin | https://overcloud.internalapi.redhat.local:8776/v2/%(tenant_id)s | | 7fef1a330bfd4941b630245f3960dfa1 | regionOne | cinderv2 | volumev2 | True | public | https://overcloud.redhat.local:13776/v2/%(tenant_id)s | | 8853bdfa3bc14b6c8aa8245bbaddca52 | regionOne | keystone | identity | True | internal | https://overcloud.internalapi.redhat.local:5000 | | 945e397c21934598b6040e496bda2382 | regionOne | cinderv3 | volumev3 | True | admin | https://overcloud.internalapi.redhat.local:8776/v3/%(tenant_id)s | | 95abe087de8f4bb793f55aca14e5b917 | regionOne | heat-cfn | cloudformation | True | public | https://overcloud.redhat.local:13005/v1 | | 9abf47baae9649818706e0fa7a345370 | regionOne | nova | compute | True | admin | https://overcloud.internalapi.redhat.local:8774/v2.1 | | aa351d0df9ef40e5b7b0195d6004072a | regionOne | heat | orchestration | True | public | https://overcloud.redhat.local:13004/v1/%(tenant_id)s | | aa77c078ed7d4620892f2908aa2bc245 | regionOne | glance | image | True | internal | https://overcloud.internalapi.redhat.local:9292 | | ae73cd1882f240b1a10af68b5c45a195 | regionOne | swift | object-store | True | admin | https://overcloud.storage.redhat.local:8080 | | b024d88cfc084adfb25791f23d1956e5 | regionOne | gnocchi | metric | True | admin | https://overcloud.internalapi.redhat.local:8041 | | c0b55ad0b66a4acbb0ad92708bff6253 | regionOne | neutron | network | True | admin | https://overcloud.internalapi.redhat.local:9696 | | c408a530676b4e5e9c653ae5856cbe0b | regionOne | heat-cfn | cloudformation | True | internal | https://overcloud.internalapi.redhat.local:8000/v1 | | c74f48efc721476687672a9bcf288cff | regionOne | aodh | alarming | True | public | https://overcloud.redhat.local:13042 | | e5d8fbb192a04e7d9e63d071f9c34602 | regionOne | manila | share | True | admin | https://overcloud.internalapi.redhat.local:8786/v1/%(tenant_id)s | | e7099379dea64b95805bd9bfcc4f74cd | regionOne | panko | event | True | public | https://overcloud.redhat.local:13977 | | f99b8f520bf64678b9aa1773cbaed0c4 | regionOne | swift | object-store | True | internal | https://overcloud.storage.redhat.local:8080/v1/AUTH_%(tenant_id)s | | fda5372943e84585ac2085bf0cb6a51c | regionOne | cinderv3 | volumev3 | True | public | https://overcloud.redhat.local:13776/v3/%(tenant_id)s | +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------------------+ from controller-0 (undercloud) [stack@undercloud-0 ~]$ ssh heat-admin.24.12 Warning: Permanently added '192.168.24.12' (ECDSA) to the list of known hosts. Last login: Thu Jul 18 20:18:12 2019 from 192.168.24.254 [heat-admin@controller-0 ~]$ openssl s_client -crlf -connect overcloud.internalapi.redhat.local:8786 CONNECTED(00000003) depth=1 O = REDHAT.LOCAL, CN = Certificate Authority verify return:1 depth=0 O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local verify return:1 --- Certificate chain 0 s:/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local i:/O=REDHAT.LOCAL/CN=Certificate Authority 1 s:/O=REDHAT.LOCAL/CN=Certificate Authority i:/O=REDHAT.LOCAL/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA3 MTgxOTM5MzlaFw0yMTA3MTgxOTM5MzlaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMskdGKcnVow2EIaRFnT KSg7tJ8pLfb96JOPLnYDAhz9qAQVeOZvqjv90nv1qOBQeQaUBeGTw2KSShZi77WD l5SUxKrlPHs4vgqZbmlB3X3xiEs2iUgAnMbpF05rfHzSf0UZXMdmChA1PQ6c7TEp RENNN4kiFRq/vKfcPMa/EH+pRCfCfIG6tHAH7FJcNHrTggAwD0ERzUHCpdfY4SIR iyTieTh2I3KUiMxnuQh729A6QP+ZPKw94+KmD9yAgwNiiUz94Q6MaKhstN+C6Vr7 qVvkfr2JVLg6lqtxT60rzsTwTmtwWqlR6/DQMKFlaWJGLIwQfmzitBLB92ntrkaf 46kCAwEAAaOCAiwwggIoMB8GA1UdIwQYMBaAFCnx1H6IuNLDrVy+BOvtonw9WH1u MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E FgQUFajayefXyDfltCnMxcP+YXy07Ukwgf0GA1UdEQSB9TCB8oIib3ZlcmNsb3Vk LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs YXBpLnJlZGhhdC5sb2NhbKBKBgorBgEEAYI3FAIDoDwMOmhhcHJveHkvY29udHJv bGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2NhbEBSRURIQVQuTE9DQUygWQYG KwYBBQICoE8wTaAOGwxSRURIQVQuTE9DQUyhOzA5oAMCAQGhMjAwGwdoYXByb3h5 GyVjb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0GCSqGSIb3 DQEBCwUAA4IBAQCtUCya4PX+ne/R+KXgz9L2SxAfYpomw5c2aRmOuIUUgjO9IixS OziA3Ew5B5GPiFGstliePYEqdDczQlnWVdYlaPKymGVKG3vgdbS1e6APdRXFGxvm 7C4xMxjnL9rPdKPvoaZDIS7qups0fTMtfvmUq+zpFa091iEekQ/uyvZGIhDO91bs 7VjOMyDIUWiBcgfddlZA45lMEEnSXjnwF0UqPBu7k91SZrsAyHH1pumdOUajVZ4D +p9J6e4Z0agQ7JfKwBC6drCxQ+J04ejw+NDn32ZbU2D4pX58ZfkX+uFUtwSJMm27 daYhTUSyd0YibrMcMFl8M8XIyRLKv/oc6Dls -----END CERTIFICATE----- subject=/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local issuer=/O=REDHAT.LOCAL/CN=Certificate Authority --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2899 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 396F15433184204D00B768C449CE239EEFDDE16121F140764A57FB976649F876 Session-ID-ctx: Master-Key: 5816324960631581F109CEF8905E8676A3B150E7D3E3823B28D4977D540DCC644E1C43F73291C732987FC2D696C11F63 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c4 94 84 d1 41 7a 36 78-82 cd 6a 80 92 e8 6e 68 ....Az6x..j...nh 0010 - 51 02 20 45 e5 7c 60 b3-85 f4 64 3b 69 f3 d0 4c Q. E.|`...d;i..L 0020 - 37 01 c5 94 82 e7 02 5d-10 35 f6 fd 26 79 ab 52 7......].5..&y.R 0030 - 1e 5a 72 9c ab b3 55 ca-3c f9 6b bd 56 fc 6d b8 .Zr...U.<.k.V.m. 0040 - 10 04 2e ab f4 92 4b 1b-61 40 5f bb d0 12 77 02 ......K.a@_...w. 0050 - a1 6e c2 dc c7 e4 7e d1-20 d1 83 10 e1 32 cd 66 .n....~. ....2.f 0060 - af 2e b0 25 ee 53 21 8a-69 7e 90 5c 5a 45 7a 64 ...%.S!.i~.\ZEzd 0070 - 78 6c c2 b5 e6 86 31 c1-e4 b8 50 1d ad e5 11 13 xl....1...P..... 0080 - 62 aa 58 9e b4 6f 6e 27-a5 e1 8e ba 2e bd d0 53 b.X..on'.......S 0090 - f7 e8 ae c6 da 25 f8 58-ea 3c 3c c5 e2 de a3 .....%.X.<<.... 00a0 - <SPACES/NULS> Start Time: 1563545415 Timeout : 300 (sec) Verify return code: 0 (ok) --- HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed from controller-1 [heat-admin@controller-1 ~]$ openssl s_client -crlf -connect overcloud.internalapi.redhat.local:8786 CONNECTED(00000003) depth=1 O = REDHAT.LOCAL, CN = Certificate Authority verify return:1 depth=0 O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local verify return:1 --- Certificate chain 0 s:/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local i:/O=REDHAT.LOCAL/CN=Certificate Authority 1 s:/O=REDHAT.LOCAL/CN=Certificate Authority i:/O=REDHAT.LOCAL/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA3 MTgxOTM5MzlaFw0yMTA3MTgxOTM5MzlaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMskdGKcnVow2EIaRFnT KSg7tJ8pLfb96JOPLnYDAhz9qAQVeOZvqjv90nv1qOBQeQaUBeGTw2KSShZi77WD l5SUxKrlPHs4vgqZbmlB3X3xiEs2iUgAnMbpF05rfHzSf0UZXMdmChA1PQ6c7TEp RENNN4kiFRq/vKfcPMa/EH+pRCfCfIG6tHAH7FJcNHrTggAwD0ERzUHCpdfY4SIR iyTieTh2I3KUiMxnuQh729A6QP+ZPKw94+KmD9yAgwNiiUz94Q6MaKhstN+C6Vr7 qVvkfr2JVLg6lqtxT60rzsTwTmtwWqlR6/DQMKFlaWJGLIwQfmzitBLB92ntrkaf 46kCAwEAAaOCAiwwggIoMB8GA1UdIwQYMBaAFCnx1H6IuNLDrVy+BOvtonw9WH1u MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E FgQUFajayefXyDfltCnMxcP+YXy07Ukwgf0GA1UdEQSB9TCB8oIib3ZlcmNsb3Vk LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs YXBpLnJlZGhhdC5sb2NhbKBKBgorBgEEAYI3FAIDoDwMOmhhcHJveHkvY29udHJv bGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2NhbEBSRURIQVQuTE9DQUygWQYG KwYBBQICoE8wTaAOGwxSRURIQVQuTE9DQUyhOzA5oAMCAQGhMjAwGwdoYXByb3h5 GyVjb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0GCSqGSIb3 DQEBCwUAA4IBAQCtUCya4PX+ne/R+KXgz9L2SxAfYpomw5c2aRmOuIUUgjO9IixS OziA3Ew5B5GPiFGstliePYEqdDczQlnWVdYlaPKymGVKG3vgdbS1e6APdRXFGxvm 7C4xMxjnL9rPdKPvoaZDIS7qups0fTMtfvmUq+zpFa091iEekQ/uyvZGIhDO91bs 7VjOMyDIUWiBcgfddlZA45lMEEnSXjnwF0UqPBu7k91SZrsAyHH1pumdOUajVZ4D +p9J6e4Z0agQ7JfKwBC6drCxQ+J04ejw+NDn32ZbU2D4pX58ZfkX+uFUtwSJMm27 daYhTUSyd0YibrMcMFl8M8XIyRLKv/oc6Dls -----END CERTIFICATE----- subject=/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local issuer=/O=REDHAT.LOCAL/CN=Certificate Authority --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2899 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C7796F1FB5E12714A712BDFC42B7239323D974A1147A0B03667FA49C1FA84486 Session-ID-ctx: Master-Key: E753D7C2C099216BD0ECAFF4519F998DC83456B58056E7400F467E637F5102237B6E406210ABED4C2375D4B19240B773 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c4 94 84 d1 41 7a 36 78-82 cd 6a 80 92 e8 6e 68 ....Az6x..j...nh 0010 - 1f 9b 16 9c 2b 43 8e c0-8d cc ba 25 2d e0 39 0f ....+C.....%-.9. 0020 - 88 79 cf c7 c0 80 e9 59-06 af 1f c5 2f 1f e6 d9 .y.....Y..../... 0030 - 0b 3e 37 16 89 e5 03 92-c9 53 e5 c7 4b c6 c8 88 .>7......S..K... 0040 - 78 c3 8b d0 0d f0 af 21-5f ff c1 9a f1 d2 b4 d6 x......!_....... 0050 - 80 05 11 d5 70 b3 aa 85-04 04 0b 64 57 3e 08 28 ....p......dW>.( 0060 - 9b 0f a1 93 c1 22 31 12-ef b9 ef 59 9d 43 1b e3 ....."1....Y.C.. 0070 - c9 b9 00 29 c0 f5 65 58-d4 3e 6a 00 9e 15 bb a4 ...)..eX.>j..... 0080 - fd 10 9f c4 47 d4 22 44-4e da 9b d0 57 70 bd e7 ....G."DN...Wp.. 0090 - 70 bb 50 ee 4b 8f ab b2-9b f6 40 12 d7 73 4c 7d p.P.K.....@..sL} Start Time: 1563545709 Timeout : 300 (sec) Verify return code: 0 (ok) --- HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed from controller-2[heat-admin@controller-2 ~]$ openssl s_client -crlf -connect overcloud.internalapi.redhat.local:8786 CONNECTED(00000003) depth=1 O = REDHAT.LOCAL, CN = Certificate Authority verify return:1 depth=0 O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local verify return:1 --- Certificate chain 0 s:/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local i:/O=REDHAT.LOCAL/CN=Certificate Authority 1 s:/O=REDHAT.LOCAL/CN=Certificate Authority i:/O=REDHAT.LOCAL/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA3 MTgxOTM5MzlaFw0yMTA3MTgxOTM5MzlaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMskdGKcnVow2EIaRFnT KSg7tJ8pLfb96JOPLnYDAhz9qAQVeOZvqjv90nv1qOBQeQaUBeGTw2KSShZi77WD l5SUxKrlPHs4vgqZbmlB3X3xiEs2iUgAnMbpF05rfHzSf0UZXMdmChA1PQ6c7TEp RENNN4kiFRq/vKfcPMa/EH+pRCfCfIG6tHAH7FJcNHrTggAwD0ERzUHCpdfY4SIR iyTieTh2I3KUiMxnuQh729A6QP+ZPKw94+KmD9yAgwNiiUz94Q6MaKhstN+C6Vr7 qVvkfr2JVLg6lqtxT60rzsTwTmtwWqlR6/DQMKFlaWJGLIwQfmzitBLB92ntrkaf 46kCAwEAAaOCAiwwggIoMB8GA1UdIwQYMBaAFCnx1H6IuNLDrVy+BOvtonw9WH1u MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E FgQUFajayefXyDfltCnMxcP+YXy07Ukwgf0GA1UdEQSB9TCB8oIib3ZlcmNsb3Vk LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs YXBpLnJlZGhhdC5sb2NhbKBKBgorBgEEAYI3FAIDoDwMOmhhcHJveHkvY29udHJv bGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2NhbEBSRURIQVQuTE9DQUygWQYG KwYBBQICoE8wTaAOGwxSRURIQVQuTE9DQUyhOzA5oAMCAQGhMjAwGwdoYXByb3h5 GyVjb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0GCSqGSIb3 DQEBCwUAA4IBAQCtUCya4PX+ne/R+KXgz9L2SxAfYpomw5c2aRmOuIUUgjO9IixS OziA3Ew5B5GPiFGstliePYEqdDczQlnWVdYlaPKymGVKG3vgdbS1e6APdRXFGxvm 7C4xMxjnL9rPdKPvoaZDIS7qups0fTMtfvmUq+zpFa091iEekQ/uyvZGIhDO91bs 7VjOMyDIUWiBcgfddlZA45lMEEnSXjnwF0UqPBu7k91SZrsAyHH1pumdOUajVZ4D +p9J6e4Z0agQ7JfKwBC6drCxQ+J04ejw+NDn32ZbU2D4pX58ZfkX+uFUtwSJMm27 daYhTUSyd0YibrMcMFl8M8XIyRLKv/oc6Dls -----END CERTIFICATE----- subject=/O=REDHAT.LOCAL/CN=controller-0.internalapi.redhat.local issuer=/O=REDHAT.LOCAL/CN=Certificate Authority --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2899 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4E21E08DACE163B42C79078FFBB2440D1AA35F4A8D4AE9A083DAD8376D9A0302 Session-ID-ctx: Master-Key: 4490ADF75469FBA6921B8E73586751C5A8BE879CBEE0CDCCC44D1420519AD29D1D5F30EE1FDC3585BDA81BD334295C71 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c4 94 84 d1 41 7a 36 78-82 cd 6a 80 92 e8 6e 68 ....Az6x..j...nh 0010 - c8 71 d6 1d 3c ea bf bb-a6 91 2f 5d 5a 50 f3 29 .q..<...../]ZP.) 0020 - 68 44 b6 89 08 6e c9 80-a7 54 6d 10 8d 19 6b e7 hD...n...Tm...k. 0030 - 2e 78 f6 66 aa 33 27 4a-69 f1 78 b9 d6 2a 6a b3 .x.f.3'Ji.x..*j. 0040 - ce 79 0a 47 4c 25 af 24-d9 9d 8f ea d0 1c 60 f6 .y.GL%.$......`. 0050 - 7e 16 38 75 ed 40 a6 7a-9d bc bc 9b c4 d8 cd 54 ~.8u.@.z.......T 0060 - 80 42 39 11 51 c4 3b 07-0e 8b 00 10 85 1d 3e 79 .B9.Q.;.......>y 0070 - cd 24 46 f8 a9 d9 0b 78-9d b7 e1 86 9d 2c 26 21 .$F....x.....,&! 0080 - f3 15 34 58 d3 2d 03 fd-5c 1e 29 5a 34 be 2c 33 ..4X.-..\.)Z4.,3 0090 - 24 d8 1a f4 9c 85 65 09-d8 97 73 f9 39 c9 b4 9e $.....e...s.9... Start Time: 1563545787 Timeout : 300 (sec) Verify return code: 0 (ok) --- HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed [heat-admin@controller-0 ~]$ sudo podman ps | grep tls sudo: podman: command not found [heat-admin@controller-0 ~]$ sudo docker ps | grep tls d266c77cab6e 192.168.24.1:8787/rhosp14/openstack-glance-api:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours glance_api_tls_proxy e936ce4f5eef 192.168.24.1:8787/rhosp14/openstack-neutron-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours neutron_server_tls_proxy 81361a59b385 192.168.24.1:8787/rhosp14/openstack-swift-proxy-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours swift_proxy_tls_proxy 75a25b1bf8ba 192.168.24.1:8787/rhosp14/openstack-redis:pcmklatest "kolla_start" 18 hours ago Up 18 hours redis_tls_proxy [heat-admin@controller-0 ~]$ exit logout Connection to 192.168.24.12 closed. (overcloud) [stack@undercloud-0 ~]$ ssh heat-admin.24.20 Warning: Permanently added '192.168.24.20' (ECDSA) to the list of known hosts. Last login: Fri Jul 19 14:13:39 2019 from 192.168.24.1 [heat-admin@controller-1 ~]$ sudo docker ps | grep tls 5d38fb1e9fcc 192.168.24.1:8787/rhosp14/openstack-glance-api:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours glance_api_tls_proxy 455dfc90cceb 192.168.24.1:8787/rhosp14/openstack-neutron-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours neutron_server_tls_proxy 4c3de1974885 192.168.24.1:8787/rhosp14/openstack-swift-proxy-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours swift_proxy_tls_proxy 1b15648f4a06 192.168.24.1:8787/rhosp14/openstack-redis:pcmklatest "kolla_start" 18 hours ago Up 18 hours redis_tls_proxy [heat-admin@controller-1 ~]$ exit logout Connection to 192.168.24.20 closed. (overcloud) [stack@undercloud-0 ~]$ ssh heat-admin.24.7 Warning: Permanently added '192.168.24.7' (ECDSA) to the list of known hosts. Last login: Fri Jul 19 14:16:02 2019 from 192.168.24.1 [heat-admin@controller-2 ~]$ sudo docker ps | grep tls 6824d2eba02c 192.168.24.1:8787/rhosp14/openstack-glance-api:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours glance_api_tls_proxy 292c0ad500fd 192.168.24.1:8787/rhosp14/openstack-neutron-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours neutron_server_tls_proxy 5908a464c1a4 192.168.24.1:8787/rhosp14/openstack-swift-proxy-server:2019-06-24.2 "kolla_start" 18 hours ago Up 18 hours swift_proxy_tls_proxy 7c69d2a05e53 192.168.24.1:8787/rhosp14/openstack-redis:pcmklatest "kolla_start" 18 hours ago Up 18 hours redis_tls_proxy |