Hi wodel, looks tricky. now the place is reached where i was totally out of my comfort zone. Every information should be double checked. Please check the configuration differences between the cli and horizon. is horizon on the same node as keystone? Looks like there is a connection problem between horizon/keystone. See also the horizon log for any connection errors. Hopefully anyone on the list can instruct for more/deeper debugging. ________________________________ Von: wodel youchi <wodel.youchi@gmail.com> Gesendet: Sonntag, 22. Oktober 2023 15:03 An: OpenStack Discuss <openstack-discuss@lists.openstack.org> Cc: Kaster, Jörn <joern.kaster@epg.com> Betreff: Re: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert OUTSIDE-EPG! Hi, From the beginning I had kolla_verify_tls_backend: "no" in globals.yml The weird thing is that the openstack cli works fine. I even created a new user with admin role, I get the same behavior. Horizon does not connect, the cli works. I activated the debug mode on keystone [root@rscdeployer ~]# cat /etc/yogakolla/config/keystone.conf [DEFAULT] debug = True insecure_debug= True But nothing in the log file, when I try to login via horizon, I don't get anything on keystone.log. I tested with a wrong password to see the behavior of the platform, and this is what I got on keystone.log : - Openstack CLI with wrong pass, I got : 2023-10-22 13:51:02.344 43 WARNING keystone.server.flask.application [req-73100d88-8357-42ce-8865-e36c34a9bfa9 - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.3.16<http://10.10.3.16/>: keystone.exception.Unauthorized: The request you have made requires authentication. - Openstack Horizon with wrong pass, I got : Nothing How can I follow up this, how can I be sure that it's not a horizon problem or something else? Regards. [https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Le mer. 18 oct. 2023 à 13:17, Kaster, Jörn <Joern.Kaster@epg.com<mailto:Joern.Kaster@epg.com>> a écrit : Hi wodel, nice to hear that the patch helps you. With the keystone problem i can't help, but i think the certs are correct. Two thoughts about that. * If you have in the respective configurations of the OpenStack Services the IP address instead of any DNS Name configured (here is this the case) then the certificates don't need the dns name in it. * Could you please look for any error Messages in the keystone logs and also check if you can establish a connection to the keystone on the mentioned port with openssl s_client. If so, it could be possible that you have to disable the certificate verification in the deployment. ________________________________ Von: wodel youchi <wodel.youchi@gmail.com<mailto:wodel.youchi@gmail.com>> Gesendet: Mittwoch, 18. Oktober 2023 11:55 An: Kaster, Jörn <Joern.Kaster@epg.com<mailto:Joern.Kaster@epg.com>> Cc: OpenStack Discuss <openstack-discuss@lists.openstack.org<mailto:openstack-discuss@lists.openstack.org>> Betreff: Re: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert OUTSIDE-EPG! Thanks Jörn, it worked for cloudkitty, after applying the patch the deployment went well. But : - I still can't access the web console : An error occurred authenticating. Please try again later. - in cloudkitty-processor.log I am still having : 2023-10-18 10:46:25.271 8106 WARNING keystoneauth.identity.generic.base [-] Failed to discover available identity versions when contacting https://dinternal.cloud.domain.tld:35357<https://dinternal.cloud.domain.tld:35357/>. Attempting to parse version from URL.: keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https:// dinternal.cloud.domain.tld :35357: HTTPSConnectionPool(host=' dinternal.cloud.domain.tld ', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),)) When generating the self-signed certificate, I noticed that the process had generated : - two haproxy certificates, one for the internet with the external FQDN and the second for internal communication with the local internal FQDN. - It also generated a backend certificate, that contains only the IP addresses of the 03 controllers as Subject Alternate Names without any mention of the domain I am using, is this correct? [root@rscdeployer ~]# openssl x509 -noout -text -in /etc/yogakolla/certificates/backend-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1c:66:7e:37:85:cf:ca:1c:da:42:f6:f1:1f:dc:1e:97..... Signature Algorithm: sha256WithRSAEncryption Issuer: CN = KollaTestCA Validity Not Before: Oct 17 15:04:26 2023 GMT Not After : Oct 15 15:04:26 2025 GMT Subject: C = US, ST = NC, L = RTP, OU = kolla Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: ..... ..... e6:23:a4:7f:30:74:ac:0c:2d:22:00:95:b6:ab:20: 98:6b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: IP Address:10.10.3.5, IP Address:10.10.3.9, IP Address:10.10.3.13 Signature Algorithm: sha256WithRSAEncryption 36:86:cb:b4:9a:fe:33:0d:ff:af:87:5e:00:9d:69:4e:32:21: Regards. [https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Le mer. 18 oct. 2023 à 07:12, Kaster, Jörn <Joern.Kaster@epg.com<mailto:Joern.Kaster@epg.com>> a écrit : Hello wodel, the problem with cloudkitty deployment with self signed certs could resolve to the following bugreport [1]. [1] https://bugs.launchpad.net/kolla-ansible/+bug/1998831 Bug #1998831 “CloudKitty bootstrap fails when using internal TLS...” : Bugs : kolla-ansible<https://bugs.launchpad.net/kolla-ansible/+bug/1998831> When InfluxDB is behind HAProxy's internal TLS, CloudKitty fails to bootstrap its InfluxDB database with the following error: TASK [cloudkitty : Creating Cloudkitty influxdb database] *************************************************************************************************************************** fatal: [controller01 -> controller01]: FAILED! => changed=false action: influxdb_database msg: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response... bugs.launchpad.net<http://bugs.launchpad.net/> ________________________________ Von: wodel youchi <wodel.youchi@gmail.com<mailto:wodel.youchi@gmail.com>> Gesendet: Mittwoch, 18. Oktober 2023 01:33 An: OpenStack Discuss <openstack-discuss@lists.openstack.org<mailto:openstack-discuss@lists.openstack.org>> Betreff: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert OUTSIDE-EPG! Hi, Our ssl certificate expired a couple of days ago, and we started experiencing failed login, to workaround the problem rapidly we decided to deploy the self-signed certificates generated by kolla. We generated the certificates then we did a reconfigure, but still the problem remains : An error occurred authenticating. Please try again later. on horizon.log we have : [Wed Oct 18 00:25:55.379383 2023] [wsgi:error] [pid 103:tid 140182314505984] [remote 10.10.3.5:40848<http://10.10.3.5:40848/>] Login failed for user "admin" using domain "default", remote address 10.10.3.5 The openstack command line works fine. How can we debug this? The second problem we have is with cloudkitty that refuses to reconfigure with the generated self-signed certificate, we had to ignore it from the reconfiguration process by putting the cloudkitty variable to no before restarting the reconfigure process. How can we debug this? Regards. [https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>