Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1902101

Summary: [FFU OSP13 to 16.1] TLS upgrade of compute fails
Product: Red Hat OpenStack Reporter: camorris@redhat.co <camorris>
Component: python-novajoinAssignee: Ade Lee <alee>
Status: CLOSED DUPLICATE QA Contact: Jeremy Agee <jagee>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: michele, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-27 07:52:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description camorris@redhat.co 2020-11-26 22:47:22 UTC 
Description of problem:
Running openstack overcloud upgrade run -y --stack overcloud --limit compute-0-ffu.    

Version-Release number of selected component (if applicable):
OSP13
rhel-8.2+ osp16.1

How reproducible:
Everytime

Steps to Reproduce:
1. openstack overcloud upgrade run -y --stack overcloud --limit compute-0-ffu

Actual results:
The command fails

Expected results:
The command succeeds.

Additional info:
Nov 17 08:37:57 compute-0-ffu certmonger[38078]: Certificate in file "/etc/pki/libvirt-vnc/server-cert.pem" issued by CA and saved.
Nov 17 08:37:57 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/Certmonger_certificate[qemu-nbd-client-cert]/ensure: created
Nov 17 08:37:57 compute-0-ffu ansible-async_wrapper.py[37731]: 37732 still running (3590)
Nov 17 08:37:58 compute-0-ffu certmonger[2544]: Submitting request to "https://freeipa.nodel8.local/ipa/xml".
Nov 17 08:37:59 compute-0-ffu certmonger[2544]: Fault 2100: (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.).
Nov 17 08:37:59 compute-0-ffu certmonger[2544]: 2020-11-17 08:37:59 [2544] Server at https://freeipa.nodel8.local/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.).
Nov 17 08:37:59 compute-0-ffu certmonger[38098]: Request for certificate to be stored in file "/etc/pki/libvirt-nbd/client-cert.pem" rejected by CA.
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I qemu-nbd-client-cert -f /etc/pki/libvirt-nbd/client-cert.pem -c IPA -N CN=compute-0-ffu.internalapi.nodel8.local -K qemu/compute-0-ffu.internalapi.nodel8.local -D compute-0-ffu.internalapi.nodel8.local -w -k /etc/pki/libvirt-nbd/client-key.pem -F /etc/pki/CA/certs/qemu.pem' returned 2: New signing request "qemu-nbd-client-cert" added.
Nov 17 08:37:59 compute-0-ffu kernel: IPv4: martian source 10.204.221.142 from 10.204.221.131, on dev eno2
Nov 17 08:37:59 compute-0-ffu kernel: ll header: 00000000: ff ff ff ff ff ff 0c c4 7a 32 09 f8 08 06        ........z2....
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/Certmonger_certificate[qemu-nbd-client-cert]: Could not evaluate: Could not get certificate: Server at https://freeipa.nodel8.local/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.).
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-cert.pem]: Dependency Certmonger_certificate[qemu-nbd-client-cert] has failures: true
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-cert.pem]: Skipping because of failed dependencies
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-key.pem]: Skipping because of failed dependencies
Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-server-cert]/Certmonger_certificate[qemu-server-cert]/ensure: created
Comment 2 Michele Baldessari 2020-11-27 07:52:10 UTC 

*** This bug has been marked as a duplicate of bug 1901157 ***