Thanks Jörn, it worked for cloudkitty, after applying the patch the deployment went well. But :

- I still can't access the web console : An error occurred authenticating. Please try again later.

- in cloudkitty-processor.log I am still having :
2023-10-18 10:46:25.271 8106 WARNING keystoneauth.identity.generic.base [-] Failed to discover available identity versions when contacting https://dinternal.cloud.domain.tld:35357. Attempting to parse version from URL.: keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https:// dinternal.cloud.domain.tld :35357: HTTPSConnectionPool(host=' dinternal.cloud.domain.tld ', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))


When generating the self-signed certificate, I noticed that the process had generated :
- two haproxy certificates, one for the internet with the external FQDN and the second for internal communication with the local internal FQDN.

- It also generated a backend certificate, that contains only the IP addresses of the 03 controllers as Subject Alternate Names without any mention of the domain I am using, is this correct?

[root@rscdeployer ~]# openssl x509 -noout -text -in /etc/yogakolla/certificates/backend-cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1c:66:7e:37:85:cf:ca:1c:da:42:f6:f1:1f:dc:1e:97.....
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = KollaTestCA
        Validity
            Not Before: Oct 17 15:04:26 2023 GMT
            Not After : Oct 15 15:04:26 2025 GMT
        Subject: C = US, ST = NC, L = RTP, OU = kolla
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
              .....
              .....
              e6:23:a4:7f:30:74:ac:0c:2d:22:00:95:b6:ab:20:
                    98:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.10.3.5, IP Address:10.10.3.9, IP Address:10.10.3.13
    Signature Algorithm: sha256WithRSAEncryption
         36:86:cb:b4:9a:fe:33:0d:ff:af:87:5e:00:9d:69:4e:32:21:


Regards.

Virus-free.www.avast.com

Le mer. 18 oct. 2023 à 07:12, Kaster, Jörn <Joern.Kaster@epg.com> a écrit :
Hello wodel,
the problem with cloudkitty deployment with self signed certs could resolve to the following bugreport [1].

[1] https://bugs.launchpad.net/kolla-ansible/+bug/1998831


Von: wodel youchi <wodel.youchi@gmail.com>
Gesendet: Mittwoch, 18. Oktober 2023 01:33
An: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Betreff: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert
 

OUTSIDE-EPG!

Hi,

Our ssl certificate expired a couple of days ago, and we started experiencing failed login, to workaround the problem rapidly we decided to deploy the self-signed certificates generated by kolla.

We generated the certificates then we did a reconfigure, but still the problem remains : An error occurred authenticating. Please try again later.

on horizon.log we have : 
[Wed Oct 18 00:25:55.379383 2023] [wsgi:error] [pid 103:tid 140182314505984] [remote 10.10.3.5:40848] Login failed for user "admin" using domain "default", remote address 10.10.3.5

The openstack command line works fine.

How can we debug this?

The second problem we have is with cloudkitty that refuses to reconfigure with the generated self-signed certificate, we had to ignore it from the reconfiguration process by putting the cloudkitty variable to no before restarting the reconfigure process.

How can we debug this?




Regards.

Virus-free.www.avast.com