Re: [Triple0 - Wallaby] Overcloud deployment getting failed with SSL

8 Jul 2022


      What is the domain name you have specified in the undercloud.conf file?
And what is the fqdn name used for the generation of the SSL cert?

On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <lokendrarathour@gmail.com>
wrote:
...
Hi Team,
We were trying to install overcloud with SSL enabled for which the UC is
installed, but OC install is getting failed at step 4:
ERROR
:nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
"module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
exact error", "rc": 1}
2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
 FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
item={'service_name': 'cinderv3', 'service_type': 'volume'} |
error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
"item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
"cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
Attempting to parse version from URL.\nTraceback (most recent call last):\n
 File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
600, in urlopen\n    chunked=chunked)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
in _make_request\n    self._validate_conn(conn)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
in _validate_conn\n    conn.connect()\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
connect\n    _match_hostname(cert, self.assert_hostname or
server_hostname)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
_match_hostname\n    match_hostname(cert, asserted_hostname)\n  File
\"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n    %
(hostname, dnsnames[0]))\nssl.CertificateError: hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
handling of the above exception, another exception occurred:\n\nTraceback
(most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
send\n    timeout=timeout\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
in urlopen\n    _stacktrace=sys.exc_info()[2])\n  File
\"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
increment\n    raise MaxRetryError(_pool, url, error or
ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
in _send_request\n    resp = self.session.request(method, url, **kwargs)\n
 File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
in request\n    resp = self.send(prep, **send_kwargs)\n  File
\"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
send\n    r = adapter.send(request, **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 138, in _do_create_plugin\n    authenticated=False)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
610, in get_discovery\n    authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
in get_discovery\n    disc = Discover(session, url,
authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
in __init__\n    authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
in get_version_data\n    resp = session.get(url, headers=headers,
authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
in get\n    return self.request(url, 'GET', **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
request\n    resp = send(**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
in _send_request\n    raise
exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"<stdin>\", line 102, in <module>\n  File \"<stdin>\", line 94, in
_ansiballz_main\n  File \"<stdin>\", line 40, in invoke_module\n  File
\"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return
_run_module_code(code, init_globals, run_name, mod_spec)\n  File
\"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
 mod_name, mod_spec, pkg_name, script_name)\n  File
\"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code,
run_globals)\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 185, in <module>\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 181, in main\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
line 407, in __call__\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 141, in run\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
517, in search_services\n    services = self.list_services()\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
492, in list_services\n    if self._is_client_version('identity', 2):\n
 File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 460, in _is_client_version\n    client = getattr(self, client_name)\n
 File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
line 32, in _identity_client\n    'identity', min_version=2,
max_version='3.latest')\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 407, in _get_versioned_client\n    if adapter.get_endpoint():\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
get_endpoint\n    return self.session.get_endpoint(auth or self.auth,
**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
in get_endpoint\n    return auth.get_endpoint(self, **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
380, in get_endpoint\n    allow_version_hack=allow_version_hack,
**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
271, in get_endpoint_data\n    service_catalog =
self.get_access(session).service_catalog\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
134, in get_access\n    self.auth_ref = self.get_auth_ref(session)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 206, in get_auth_ref\n    self._plugin =
self._do_create_plugin(session)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 161, in _do_create_plugin\n    'auth_url is correct. %s' %
e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
versioned identity endpoints when attempting to authenticate. Please check
that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
"MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.271914 | 2.47s
2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.273659 | 2.47s
PLAY RECAP
*********************************************************************
localhost                  : ok=0    changed=0    unreachable=0
 failed=0    skipped=2    rescued=0    ignored=0
overcloud-controller-0     : ok=437  changed=104  unreachable=0
 failed=0    skipped=214  rescued=0    ignored=0
overcloud-controller-1     : ok=436  changed=101  unreachable=0
 failed=0    skipped=214  rescued=0    ignored=0
overcloud-controller-2     : ok=431  changed=101  unreachable=0
 failed=0    skipped=214  rescued=0    ignored=0
overcloud-novacompute-0    : ok=345  changed=83   unreachable=0
 failed=0    skipped=198  rescued=0    ignored=0
undercloud                 : ok=28   changed=7    unreachable=0
 failed=1    skipped=3    rescued=0    ignored=0
2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks:
1373       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
in the deploy.sh:
openstack overcloud deploy --templates \
    -r /home/stack/templates/roles_data.yaml \
    --networks-file /home/stack/templates/custom_network_data.yaml \
    --vip-file  /home/stack/templates/custom_vip_data.yaml \
    --baremetal-deployment
 /home/stack/templates/overcloud-baremetal-deploy.yaml \
    --network-config \
    -e /home/stack/templates/environment.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
\
    -e /home/stack/templates/ironic-config.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
    -e /home/stack/containers-prepare-parameter.yaml
Addition lines as highlighted in yellow were passed with modifications:
tls-endpoints-public-ip.yaml:
Passed as is in the defaults.
enable-tls.yaml:
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable SSL on OpenStack Public Endpoints
# description: |
#   Use this environment to pass in certificates for SSL deployments.
#   For these values to take effect, one of the tls-endpoints-*.yaml
#   environments must also be used.
parameter_defaults:
  # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
  # Type: boolean
  HorizonSecureCookies: True
# Specifies the default CA cert to use if TLS is used for services in
the public network.
  # Type: string
  PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
# The content of the SSL certificate (without Key) in PEM format.
  # Type: string
  SSLRootCertificate: |
    -----BEGIN CERTIFICATE-----
    ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----
SSLCertificate: |
    -----BEGIN CERTIFICATE-----
     ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----
  # The content of an SSL intermediate CA certificate in PEM format.
  # Type: string
  SSLIntermediateCertificate: ''
# The content of the SSL Key in PEM format.
  # Type: string
  SSLKey: |
    -----BEGIN PRIVATE KEY-----
     ----*** CERTICATELINES TRIMMED **
    -----END PRIVATE KEY-----
# ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
  # ******************************************************
  # The filepath of the certificate as it will be stored in the controller.
  # Type: string
  DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
# *********************
  # End static parameters
  # *********************
inject-trust-anchor.yaml
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Inject SSL Trust Anchor on Overcloud Nodes
# description: |
#   When using an SSL certificate signed by a CA that is not in the default
#   list of CAs, this environment allows adding a custom CA certificate to
#   the overcloud nodes.
parameter_defaults:
  # The content of a CA's SSL certificate file in PEM format. This is
evaluated on the client side.
  # Mandatory. This parameter must be set by the user.
  # Type: string
  SSLRootCertificate: |
    -----BEGIN CERTIFICATE-----
   ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----
resource_registry:
  OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
The procedure to create such files was followed using:
Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
<https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
certificate, without DNS. *
Any idea around this error would be of great help.
--
skype: lokendrarathour

Re: [Triple0 - Wallaby] Overcloud deployment getting failed with SSL

Swogat Pradhan