<div dir="ltr">Yes, sorry, I was very very unclear.<div>I use:</div><div>certificate_generation_ca = local</div><div><br></div><div>I even saw that cert itself should auto-update/refresh.</div><div>But there was a bug using autorefresh, I have just updated and rebooted the system.</div><div><br></div><div>even I found very nice and curious script: /bin/certmonger-haproxy-refresh.sh</div><div>Executed and reexecuted some things manually with the cert which should work:</div><div># /bin/certmonger-haproxy-refresh.sh reload external # with some additional outputs below:<br>/etc/pki/tls/private/overcloud_endpoint.pem<br>exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem<br>exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem<br>kill --signal HUP haproxy<br>e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a<br><br></div><div># openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid</div><div><br># podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem<br># podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem<br>-rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935 /etc/pki/tls/private/overcloud_endpoint.pem<br># podman kill --signal HUP haproxy<br>e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a<br><br></div><div>NO luck... </div><div>sourced stackrc and executed cmd returns: </div><div>#openstack server list<br>Failed to discover available identity versions when contacting <a href="https://UNDERCLOUD_LOCAL_IP:13000">https://UNDERCLOUD_LOCAL_IP:13000</a>. Attempting to parse version from URL.<br>Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to <a href="https://10.196.106.254:13000">https://10.196.106.254:13000</a>: HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))<br></div><div><br></div><div>Inside container:</div><div># openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem<br>notBefore=Jan 17 06:29:02 2021 GMT<br>notAfter=Oct 7 08:23:06 2021 GMT<br></div><div><br></div><div>outside container:</div><div># openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem<br>notBefore=Jan 17 06:29:02 2021 GMT<br>notAfter=Oct 7 08:23:06 2021 GMT<br>#<br></div><div><br></div><div>JUST NOW thinking, is it a different error? I do not get how it was working and stopped working at the date when prev cert expires... even after reboot it should work... reload with new cert. right?</div><div><br></div><div>By the way certmonger looks like this:</div><div>-----</div><div># getcert list<br>Number of certificates and requests being tracked: 1.<br>Request ID 'haproxy-external-cert':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'<br> certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'<br> CA: local<br> issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing Authority<br> subject: CN=UNDERCLOUD_LOCAL_IP<br> expires: 2021-10-07 08:23:06 UTC<br> eku: id-kp-clientAuth,id-kp-serverAuth<br> pre-save command:<br> post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external<br> track: yes<br> auto-renew: yes<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 16 Feb 2021 at 19:07, John Fulton <<a href="mailto:johfulto@redhat.com">johfulto@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <<a href="mailto:ruslanas@lpic.lt" target="_blank">ruslanas@lpic.lt</a>> wrote:<br>
><br>
> Hi all.<br>
><br>
> I got undercloud certificate expired and cannot find the best procedure to update the certificate. Do you have any link to Read The Following Material/Manual?<br>
<br>
Did you see this?<br>
<br>
<a href="https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html" rel="noreferrer" target="_blank">https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html</a><br>
<br>
John<br>
<br>
><br>
> I cannot find anything useful. As "openstack undercloud install|upgrade --force-stack-update" fails at step below:<br>
><br>
> "logical_resource_id": "undercloud", "resource_status_reason": "Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}<br>
><br>
> --<br>
> Ruslanas Gžibovskis<br>
> +370 6030 7030<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Ruslanas Gžibovskis<br>+370 6030 7030<br></div></div></div>