2274355 – OpenStack commands to undercloud fail after CA certificate renewed

Bug 2274355 - OpenStack commands to undercloud fail after CA certificate renewed

Summary: OpenStack commands to undercloud fail after CA certificate renewed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	z4
Target Release:	17.1
Assignee:	Ade Lee
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-10 14:30 UTC by tkuroda
Modified:	2024-11-21 09:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-17.1.20240919130751.e7c7ce3.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-11-21 09:30:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-31865	None	None	None	2024-04-10 14:33:13 UTC
Red Hat Issue Tracker	OSP-31939	None	None	None	2024-06-26 14:17:32 UTC
Red Hat Issue Tracker	OSP-32923	None	None	None	2024-10-08 16:25:45 UTC
Red Hat Knowledge Base (Solution)	7064179	None	None	None	2024-08-13 07:58:54 UTC
Red Hat Product Errata	RHSA-2024:9978	None	None	None	2024-11-21 09:30:06 UTC

Description tkuroda 2024-04-10 14:30:54 UTC

Description of problem:
OpenStack commands to undercloud fail after CA certificate renewed

Version-Release number of selected component (if applicable):
RHOSP 17.1

How reproducible:
Always

Steps to Reproduce:
1. Turn the clock ahead by more than 1 year so that certmonger renews CA certificate and server certificate.

[root@undercloud ~]# systemctl stop chronyd
[root@undercloud ~]# date -s "05/30 13:00 2025"
Fri May 30 13:00:00 JST 2025
[root@undercloud ~]# getcert list 
Number of certificates and requests being tracked: 1.
Request ID '20240228041555':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy-external-cert.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/haproxy-external-cert.crt'
	CA: local
	issuer: CN=01c6e59b-c6d74ee1-b8ac3ed9-719fcc29,CN=Local Signing Authority
	subject: CN=192.168.24.2
	issued: 2025-05-30 13:00:13 JST
	expires: 2026-05-30 13:00:13 JST
	dns: 192.168.24.2
	principal name: haproxy/192.168.24.2@UNDERCLOUD
	key usage: digitalSignature,keyEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /etc/certmonger/post-scripts/haproxy-external-cert-6dc0da8.sh
	track: yes
	auto-renew: yes
[root@undercloud ~]# exit
logout
[stack@undercloud ~]$ 
　
2. OpenStack commands to undercloud fail with SSL verification error

[stack@undercloud ~]$ source stackrc
(undercloud) [stack@undercloud ~]$ openstack endpoint list 
Failed to discover available identity versions when contacting https://192.168.24.2:13000. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

3. /etc/pki/ca-trust/source/anchors/cm-local-ca.pem file is not updated by /var/lib/certmonger/local/creds

 [root@undercloud ~]# diff <(openssl x509 -text -in /etc/pki/ca-trust/source/anchors/cm-local-ca.pem) <(openssl x509 -text -in /var/lib/certmonger/local/creds) -y
Certificate:							Certificate:
    Data:							    Data:
        Version: 3 (0x2)					        Version: 3 (0x2)
        Serial Number:						        Serial Number:
            01:c6:e5:9b:c6:d7:4e:e1:b8:ac:3e:d9:71:9f:cc:29   |	            01:c6:e5:9b:c6:d7:4e:e1:b8:ac:3e:d9:71:9f:cc:2b
        Signature Algorithm: sha256WithRSAEncryption		        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Local Signing Authority, CN = 01c6e59b-c	        Issuer: CN = Local Signing Authority, CN = 01c6e59b-c
        Validity						        Validity
            Not Before: Feb 28 04:15:50 2024 GMT	      |	            Not Before: May 30 04:00:13 2025 GMT
            Not After : Feb 28 04:15:50 2025 GMT	      |	            Not After : May 30 04:00:13 2026 GMT
        Subject: CN = Local Signing Authority, CN = 01c6e59b-	        Subject: CN = Local Signing Authority, CN = 01c6e59b-
        Subject Public Key Info:				        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption			            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)				                Public-Key: (2048 bit)
                Modulus:					                Modulus:
                    00:eb:bc:bb:dc:61:28:9c:38:b0:e6:80:d1:d4 |	                    00:cd:0b:40:ca:90:f6:da:14:50:a7:b4:a8:cd
                    27:b9:db:41:c3:4f:b7:45:bd:28:19:dd:aa:ae |	                    89:71:2c:18:a8:42:cf:98:30:63:39:bc:19:2e
                    fa:5f:13:6b:a5:13:05:00:1c:d9:7d:5c:af:02 |	                    36:ff:fe:d1:33:7a:62:f2:12:d3:f5:70:4b:c4


Actual results:
OpenStack commands fail

Expected results:
OpenStack commands should succeed.


Additional info:

Comment 24 errata-xmlrpc 2024-11-21 09:30:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:9978

Note You need to log in before you can comment on or make changes to this bug.