Description of problem: The HAProxy tenant flow logs are showing "[ssl_c_s_dn]" instead of the client certificate DN string OSP. Version-Release number of selected component (if applicable): 16.1.6 How reproducible: Always Steps to Reproduce: 1. Create an Octavia amphora load balancer. 2. Create a TLS terminated listener with client authentication enabled. 3. Connect to the load balancer listener with a client authentication certificate. 4. Note that the log entry for the connection shows "[ssl_c_s_dn]" instead of the expect client certificate DN. Actual results: Apr 8 13:19:32 amphora-157dcaeb-128b-40f1-9a76-cd76a4b7ec2a haproxy[18066]: 9d53b4ef01874ac9b6f09fee91146b84 3218bf8c-e02f-4f80-af4c-9a28db495d4b cc2be110-8c99-41da-83bd-e3b0ce394129 10.5.26.80 53848 08/Apr/2022:13:19:30.760 r 200 300121 680 0 [ssl_c_s_dn] 78206dd1-c9af-44b3-a92f-5cd1aba53a3e:cc2be110-8c99-41da-83bd-e3b0ce394129 f70a857b-2348-40f3-b4b6-1625eed0efdb 1329 ---- Expected results: Apr 8 16:26:57 amphora-d5c2b324-12be-4eee-a7b8-7ace88cc55d6 haproxy[3011]: ce3e7b2eeb494c49a7ecfb5af17d1ec8 6cc6421d-bd1d-4478-9f65-03b94dc1ebae 082218d8-aca4-4777-8866-2e5c96999b24 172.24.5.1 57742 08/Apr/2022:16:26:57.544 "GET / HTTP/1.1" 200 147 122 0 "/C=US/ST=Denial/L=Corvallis/O=OpenStack/OU=Octavia/CN=c7fe9b78-c6ae-4af7-a097-c35c20480745" 63f66456-c40e-41a3-9d9c-0e32f59c5357:082218d8-aca4-4777-8866-2e5c96999b24 8d721d43-acfd-496a-88b9-30fc6edbc641 10 ---- Additional info: This appears to be a downstream only (tripleo?) issue as the upstream barbican gate jobs show the correct output (captured below as the expected result).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8796