Bug 2138997 - Default install of undercloud certificate trusts breaks after 1 year [NEEDINFO]
Summary: Default install of undercloud certificate trusts breaks after 1 year
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: zstream
: ---
Assignee: David Sedgmen
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-31 23:17 UTC by David Sedgmen
Modified: 2023-08-03 15:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
ifrangs: needinfo? (dsedgmen)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad.net 1988244 0 None None None 2022-11-01 00:39:28 UTC
OpenStack gerrit 872836 0 None NEW Update local ca trust when undercloud cert is renewed 2023-02-07 04:16:12 UTC
Red Hat Issue Tracker OSP-19838 0 None None None 2022-10-31 23:23:08 UTC

Description David Sedgmen 2022-10-31 23:17:12 UTC
Description of problem:

Default install of undercloud will break after 1 year, because of how local certificate generation is handled


How reproducible: 
Will happen if an undercloud install is not run for about a year


Actual results:

undercloud cli command will throw a certificate trust error after a year


Expected results:

The undercloud server certificate to be trusted by the director


Additional info:

There is a fix upstream for train for this issue in puppet-tripleo
https://review.opendev.org/c/openstack/puppet-tripleo/+/855310

And downstream bug 
https://bugzilla.redhat.com/show_bug.cgi?id=2104546

But this fix would need to be refactored for any release from wabbly onwards, as the certmonger post-save renewal script was moved from puppet-tripleo to tripleo-ansible in wallaby.


Note You need to log in before you can comment on or make changes to this bug.