[magnum] podman fedora-coreos authorization failed: SSL exception connecting on keystone

Ionut Biru ionut at fleio.com
Wed Jan 22 15:05:36 UTC 2020


Hi,

I found the difference between the two.
On fedora-coreos inside the heat container that is ran by
podman REQUESTS_CA_BUNDLE has the value
/etc/pki/ca-trust/source/anchors/openstack-ca.pem which  is empty.
On fedora-atomic the var has the value /etc/pki/tls/certs/ca-bundle.crt

On Wed, Jan 22, 2020 at 3:14 PM Ionut Biru <ionut at fleio.com> wrote:

> Hello,
>
> I've deployed the same kubernetes version on fedora-atomic but with
> use_podman=true and worked flawless.
> Maybe is an issue with fedora-coreos?
>
> On Wed, Jan 22, 2020 at 9:53 AM Ionut Biru <ionut at fleio.com> wrote:
>
>> Hello,
>>
>> I don't have cafile configured in keystone_authtoken and keystone_auth. I
>> did copied letsencrypt cafile and configured it but now magnum cannot
>> communicate with keystone even at simple as coe cluster list.
>>
>>  CRITICAL keystonemiddleware.auth_token [-] Unable to validate token:
>> Could not find versioned identity endpoints when attempting to
>> authenticate.
>>  (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify ies exceeded with
>> url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify failed')],)",),)
>>
>> On Wed, Jan 22, 2020 at 3:02 AM Feilong Wang <feilong at catalyst.net.nz>
>> wrote:
>>
>>> Hi Ionut,
>>>
>>> Would you mind sharing your magnum.conf? I think you may need the
>>> *cafile* config option for both *keystone_authtoken* and
>>> *keystone_auth.*
>>>
>>>
>>> On 22/01/20 11:01 AM, Ionut Biru wrote:
>>>
>>> Hello guys,
>>>
>>> I'm trying to deploy a kubernetes cluster using magnum 9.2
>>> with fedora-coreos-31.20200113.3.1-openstack.
>>>
>>> Master vm is deployed correctly but the cluster is never deployed since
>>> podman returns the following error:
>>>
>>>
>>> Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]:
>>> Authorization failed: SSL exception connecting to
>>> https://api.mydomain.cloud:5000/v3/auth/tokens: HTTPSConnectionPool(host='api.mydomain.cloud',
>>> port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by
>>> SSLError(SSLError(185090184, u'[X509] no certificate or crl found
>>> (_ssl.c:3063)'),))
>>>
>>> I do have a valid letsencrypt certification on that particular domain.
>>>
>>>  curl https://api.mydomain.cloud:5000/v3/auth/tokens
>>>  {"error": {"message": "The request you have made requires
>>> authentication.", "code": 401, "title": "Unauthorized"}}
>>>
>>> I was wondering, do you guys seen this issue before? Below is the
>>> template.
>>>
>>> https://paste.xinu.at/OC0Ic/
>>> --
>>> Ionut Biru - https://fleio.com
>>>
>>> --
>>> Cheers & Best regards,
>>> Feilong Wang (王飞龙)
>>> Head of R&D
>>> Catalyst Cloud - Cloud Native New Zealand
>>> --------------------------------------------------------------------------
>>> Tel: +64-48032246
>>> Email: flwang at catalyst.net.nz
>>> Level 6, Catalyst House, 150 Willis Street, Wellington
>>> --------------------------------------------------------------------------
>>>
>>>
>>
>> --
>> Ionut Biru - https://fleio.com
>>
>
>
> --
> Ionut Biru - https://fleio.com
>


-- 
Ionut Biru - https://fleio.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200122/0123f3cd/attachment-0001.html>


More information about the openstack-discuss mailing list