Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2193388

Summary: client reports a 501 error from the horizon dashboard on a tls-everywhere deploy
Product: Red Hat OpenStack Reporter: Jeremy Agee <jagee>
Component: openstack-tripleo-heat-templatesAssignee: Radomir Dopieralski <rdopiera>
Status: CLOSED ERRATA QA Contact: Ashish Gupta <ashigupt>
Severity: high Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: ashigupt, chjones, dciabrin, dsedgmen, dwilde, gbrinn, gregraka, jamsmith, jjoyce, joflynn, jschluet, mariel, mburns, mciecier, millevy, pgrist, rdopiera, slinaber, sukar, tvignaud, xili
Target Milestone: z2Keywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-17.1.20231103010821.e7c7ce3.el9ost Doc Type: Bug Fix
Doc Text:
Before this update, the Dashboard service (horizon) was configured to validate client TLS certificates by default, which broke the Dashboard service on all TLS everywhere (TLS-e) deployments. With this update, the Dashboard service no longer validates client TLS certificates by default, and the Dashboard service functions as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-16 14:32:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Agee 2023-05-05 13:31:52 UTC 
Description of problem:
The client web browser reports a 501 http error when connnecting to the public endpoint of horizon at https://overcloud./dashboard.

How reproducible:
every time

Steps to Reproduce:
1. deploy the overcloud with tls everywhere

Actual results:
client browser reports a 501 http error

Expected results:
client browser can connect to the dashboard


Additional info:
The controllers have client verification required with the line:
SSLVerifyClient         require

in the horizon pod config. 
/var/lib/config-data/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf
Comment 1 Radomir Dopieralski 2023-05-09 11:06:37 UTC 
puppet-horizon has the ssl_verify_client defaults to undef, see https://github.com/openstack/puppet-horizon/blob/master/manifests/init.pp#L618

So you must be setting it to "require" when calling puppet-horizon somewhere. How are you calling it? That's where the problem will be.
Comment 27 Radomir Dopieralski 2023-11-14 15:32:52 UTC 
*** Bug 2249470 has been marked as a duplicate of this bug. ***
Comment 46 errata-xmlrpc 2024-01-16 14:32:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.1.2 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:0209
Comment 47 Dave Wilde 2024-11-18 14:42:21 UTC 
*** Bug 2226734 has been marked as a duplicate of this bug. ***