<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Hello,<br></div><div dir="ltr"><div>I try to deploy an overcloud openstack in victoria version.</div><div>My configuration to deploy is :</div><div><br></div><div>openstack overcloud deploy --templates   -r /home/stack/templates/roles_data.yaml \<br>                                         -n /home/stack/network_data.yaml \<br>                                         -e /home/stack/templates/scheduler_hints_env.yaml \<br>                                         -e /home/stack/templates/network-isolation.yaml \<br>                                         -e /home/stack/templates/os-net-config-mapping.yaml \<br>                                         -e /home/stack/templates/node-info.yaml \<br>                                         -e /home/stack/containers-prepare-parameter.yaml \<br>                                         -e /home/stack/templates/host-map.yaml \<br>                                         -e /home/stack/templates/ips-from-pool-all.yaml \<br>                                         -e /home/stack/templates/network-environment.yaml \<br>                                         -e /home/stack/templates/net-multiple-nics-vlans.yaml \<br>                                         -e /home/stack/templates/ceph-ansible-external.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-internal-tls-certmonger.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \<br>                                         -e /usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml \<br>                                         -e /home/stack/templates/tls-parameters.yaml \<br>                                         -e /home/stack/templates/inject-trust-anchor.yaml \<br></div><div>  <br>The generated configuration of horizon httpd  contains SSLVerifyClient.<br>But Haproxy fails to check server available, because haproxy does not send a client certificate when check attempt.<br><br>the generated configuration of haproxy backend is :<br>server host1 ip_host1:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host1<br>server host2 ip_host2:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host2<br>server host3 ip_host3:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host3<br><br>if i try adding manualy "crt /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem" in server configuration in haproxy.conf, horizon/dashboard works via haproxy. But i'm not sure that's the right way.<br><br>Did I forget an environment file in deploy configuration ?<br><br>Thank you in advance for your assistance with this. <br><br>Best regards <br><br>Souppart Alexandre<br></div><div><span style="background-color:rgb(252,252,252)">

</span></div></div>
</div></div>