Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1837256

Summary: [DOCS] openstack undercloud install don't update the Certificate
Product: Red Hat OpenStack Reporter: Luigi Tamagnone <ltamagno>
Component: documentationAssignee: Roger Heslop <rheslop>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: amoralej, rheslop
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/appe-ssltls_certificate_configuration
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-03 12:40:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luigi Tamagnone 2020-05-19 07:50:29 UTC 
Description of problem:
During undercloud restore openstack undercloud install failed with:

2019-10-22 06:33:28,166 INFO: Failed to discover available identity versions when contacting https://x.x.x
.x:13000/. Attempting to parse version from URL.
2019-10-22 06:33:28,166 INFO: Could not determine a suitable URL for the plugin
2019-10-22 06:33:28,218 INFO: [2019-10-22 06:33:28,217] (os-refresh-config) [ERROR] during post-configure pha
se. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit st
atus 1]
2019-10-22 06:33:28,218 INFO: 
2019-10-22 06:33:28,218 INFO: [2019-10-22 06:33:28,217] (os-refresh-config) [ERROR] Aborting...
2019-10-22 06:33:28,227 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2432, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1610, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 673, in _run_live_command
    raise RuntimeError('%s failed. See log for details.' % name)
RuntimeError: os-refresh-config failed. See log for details.
2019-10-22 06:33:28,228 ERROR: 
#############################################################################
Undercloud install failed.

------
This bug for OSP13 has been confirmed but does not warrant a code fix since a workaround is readily available and easily documentable.

The undercloud will reload the HAProxy configuration on the initial addition of undercloud_service_certificate to undercloud.conf but no code exists to determine if that certificate has been updated on subsequent runs of undercloud install so the HAProxy configuration is not reloaded.  The workaround to this is to simply reload haproxy prior to running the undercloud installation.  This should be done after the line "$ sudo restorecon -R /etc/pki/instack-certs" in Step A.7. of [1]. HAProxy can be reloaded by issuing either "systemctl reload haproxy.service" or "pkill -f -HUP haproxy-systemd-wrapper" depending on the underlying OS init system.  This will cause HAProxy to reload it's current configuration, this is generally a safe operation, however some connections may be dropped.


[1]: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/appe-ssltls_certificate_configuration

Version-Release number of selected component (if applicable):
RHOSP13

How reproducible:

Steps to Reproduce:
1. On a pre-deployed env generate[1] a wrong certificate and run:
  openstack undercloud install
  the command fail with:
  Could not determine a suitable URL for the plugin
2. check the certificate with:
  openssl s_client -connect <IP>:13000
  the certificate has a wrong CN or AltName or something else
3. generate a new correct certificate and run:
  openstack undercloud install
  the command fails with:
  Could not determine a suitable URL for the plugin
4. check the certificate with:
  openssl s_client -connect <IP>:13000
  the certificate doesn't change

Actual results:
The certificate doesn't change for the same CA if you generate a new one

Expected results:
The certificate change if you generate a new one

Additional info:
This DOC BUG is bind with BUG 1765839
Comment 1 Roger Heslop 2020-08-03 12:40:15 UTC 
Closing as complete with the additional needed step added to documentation: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/appe-ssltls_certificate_configuration