Bug 1901621 - Deployment of DistributedComputeScaleOut role with TLS-E fails on failed haproxy-storage_mgmt-cert certificate request
Summary: Deployment of DistributedComputeScaleOut role with TLS-E fails on failed hapr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z4
: 16.1 (Train on RHEL 8.2)
Assignee: Ollie Walsh
QA Contact: Marian Krcmarik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-25 16:33 UTC by Marian Krcmarik
Modified: 2021-03-17 15:36 UTC (History)
12 users (show)

Fixed In Version: puppet-tripleo-11.5.0-1.20201114030108.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-17 15:36:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1905604 0 None None None 2020-11-25 18:02:33 UTC
OpenStack gerrit 764225 0 None MERGED Filter haproxy_certificate_specs if hostname is empty 2021-01-23 16:06:39 UTC
OpenStack gerrit 764605 0 None MERGED Filter haproxy_certificate_specs if hostname is empty 2021-01-23 16:06:39 UTC
Red Hat Product Errata RHBA-2021:0817 0 None None None 2021-03-17 15:36:38 UTC

Description Marian Krcmarik 2020-11-25 16:33:40 UTC 
Description of problem:
DCN deployment with TLS-S and nodes of DistributedComputeScaleOut role fails on:
  message: 'Could not evaluate: Could not get certificate: Server at https://site-freeipa-0.redhat.local/ipa/xml
    denied our request, giving up: 3007 (RPC failed at server.  ''fqdn'' is required).'
  source: "/Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Haproxy[haproxy-storage_mgmt]/Certmonger_certificate[haproxy-storage_mgmt-cert]"

The role does not include storage mgmt network in role definition and thus such certificate should not be requested from IPA server.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Deploy openstack with TLS-E and with nodes of DistributedComputeScaleOut role

Additional info:
    - level: warning
      message: 'Could not get certificate: Execution of ''/usr/bin/getcert request -I
        haproxy-storage_mgmt-cert -f /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt
        -c IPA -N CN= -K haproxy/ -D overcloud.storagemgmt.redhat.local -D  -U id-kp-clientAuth
        -U id-kp-serverAuth -C /usr/bin/certmonger-haproxy-refresh.sh reload storage_mgmt
        -w -k /etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key'' returned
        2: New signing request "haproxy-storage_mgmt-cert" added.'
      source: Puppet
      tags:
      - warning
      time: '2020-11-24T16:05:43.460165237+00:00'
      file:
      line:
    - level: debug
      message: 'Executing: ''/usr/bin/getcert list -i haproxy-storage_mgmt-cert'''
      source: Puppet
      tags:
      - debug
      time: '2020-11-24T16:05:43.460520119+00:00'
      file:
      line:
    - level: err
      message: 'Could not evaluate: Could not get certificate: Server at https://site-freeipa-0.redhat.local/ipa/xml
        denied our request, giving up: 3007 (RPC failed at server.  ''fqdn'' is required).'
Comment 12 errata-xmlrpc 2021-03-17 15:36:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817
Note You need to log in before you can comment on or make changes to this bug.