Bug 2193388 - client reports a 501 error from the horizon dashboard on a tls-everywhere deploy [NEEDINFO]
Summary: client reports a 501 error from the horizon dashboard on a tls-everywhere deploy
Keywords:
Status: ON_DEV
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-horizon
Version: 17.1 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: z1
: 17.1
Assignee: Radomir Dopieralski
QA Contact: Ashish Gupta
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-05 13:31 UTC by Jeremy Agee
Modified: 2023-08-17 09:51 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
The Dashboard service (horizon) is currently configured to validate client TLS certificates by default, which breaks the Dashboard service on all TLS everywhere (TLS-e) deployments. + Workaround: . Add the following configuration to an environment file: + ---- parameter_defaults: ControllerExtraConfig: horizon::ssl_verify_client: none ---- . Add the environment file to the stack with your other environment files and deploy the overcloud: + ---- (undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<environment_file>.yaml ----
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
rdopiera: needinfo? (jagee)
mciecier: needinfo? (dciabrin)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 883129 0 None NEW Don't require client cert in horizon 2023-08-10 16:14:17 UTC
OpenStack gerrit 886290 0 None NEW haproxy: pass client cert during TLS healthcheck 2023-06-16 18:36:54 UTC
Red Hat Issue Tracker OSP-24809 0 None None None 2023-05-05 13:34:49 UTC

Description Jeremy Agee 2023-05-05 13:31:52 UTC
Description of problem:
The client web browser reports a 501 http error when connnecting to the public endpoint of horizon at https://overcloud./dashboard.

How reproducible:
every time

Steps to Reproduce:
1. deploy the overcloud with tls everywhere

Actual results:
client browser reports a 501 http error

Expected results:
client browser can connect to the dashboard


Additional info:
The controllers have client verification required with the line:
SSLVerifyClient         require

in the horizon pod config. 
/var/lib/config-data/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf

Comment 1 Radomir Dopieralski 2023-05-09 11:06:37 UTC
puppet-horizon has the ssl_verify_client defaults to undef, see https://github.com/openstack/puppet-horizon/blob/master/manifests/init.pp#L618

So you must be setting it to "require" when calling puppet-horizon somewhere. How are you calling it? That's where the problem will be.


Note You need to log in before you can comment on or make changes to this bug.