2193388 – client reports a 501 error from the horizon dashboard on a tls-everywhere deploy

Bug 2193388 - client reports a 501 error from the horizon dashboard on a tls-everywhere deploy [NEEDINFO]

Summary: client reports a 501 error from the horizon dashboard on a tls-everywhere deploy

Keywords:
Status:	ON_DEV
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-horizon
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	z1
Target Release:	17.1
Assignee:	Radomir Dopieralski
QA Contact:	Ashish Gupta
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-05 13:31 UTC by Jeremy Agee
Modified:	2023-08-17 09:51 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	The Dashboard service (horizon) is currently configured to validate client TLS certificates by default, which breaks the Dashboard service on all TLS everywhere (TLS-e) deployments. + Workaround: . Add the following configuration to an environment file: + ---- parameter_defaults: ControllerExtraConfig: horizon::ssl_verify_client: none ---- . Add the environment file to the stack with your other environment files and deploy the overcloud: + ---- (undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<environment_file>.yaml ----
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Flags:	rdopiera: needinfo? (jagee) mciecier: needinfo? (dciabrin)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	883129	None	NEW	Don't require client cert in horizon	2023-08-10 16:14:17 UTC
OpenStack gerrit	886290	None	NEW	haproxy: pass client cert during TLS healthcheck	2023-06-16 18:36:54 UTC
Red Hat Issue Tracker	OSP-24809	None	None	None	2023-05-05 13:34:49 UTC

Description Jeremy Agee 2023-05-05 13:31:52 UTC

Description of problem:
The client web browser reports a 501 http error when connnecting to the public endpoint of horizon at https://overcloud./dashboard.

How reproducible:
every time

Steps to Reproduce:
1. deploy the overcloud with tls everywhere

Actual results:
client browser reports a 501 http error

Expected results:
client browser can connect to the dashboard


Additional info:
The controllers have client verification required with the line:
SSLVerifyClient         require

in the horizon pod config. 
/var/lib/config-data/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf

Comment 1 Radomir Dopieralski 2023-05-09 11:06:37 UTC

puppet-horizon has the ssl_verify_client defaults to undef, see https://github.com/openstack/puppet-horizon/blob/master/manifests/init.pp#L618

So you must be setting it to "require" when calling puppet-horizon somewhere. How are you calling it? That's where the problem will be.

Note You need to log in before you can comment on or make changes to this bug.