Hi

Thanks for your help.

First I want to correct something, the kolla_verify_tls_backend was positioned to false from the beginning, while doing the first deployment with the commercial certificate.

And yes I have kolla_copy_ca_into_containers positioned to yes from the beginning. And I can see in the nodes that there is a directory named certificates in every module's directory in /etc/kolla

What do you mean by using openssl? Do you mean to execute the command inside a container and try to connect to keystone? If yes what is the correct command?

It seems like something is missing to tell the client side to ignore the certificate validity, something like the --insecure parameter in the openstack cli.

Regards.

On Fri, Nov 11, 2022, 21:21 Eugen Block <eblock@nde.ag> wrote:
Hi,

I'm not familiar with kolla, but the docs also mention this option:

kolla_copy_ca_into_containers: "yes"

As I understand it the CA cert is required within the containers so 
they can trust the self-signed certs. At least that's how I configure 
it in a manually deployed openstack cloud. Do you have that option 
enabled? If it is enabled, did you verify it with openssl tools?

Regards,
Eugen

Zitat von wodel youchi <wodel.youchi@gmail.com>:

> Some help please.
>
> On Tue, Nov 8, 2022, 14:44 wodel youchi <wodel.youchi@gmail.com> wrote:
>
>> Hi,
>>
>> To deploy Openstack with a self-signed certificate, the documentation says
>> to generate the certificates using kolla-ansible certificates, to configure
>> the support of TLS in globals.yml and to deploy.
>>
>> I am facing a problem, my old certificate has expired, I want to use a
>> self-signed certificate.
>> I backported my servers to an older date, then generated a self-signed
>> certificate using kolla, but the deploy/reconfigure won't work, they say :
>>
>> self._sslobj.do_handshake()\n  File \"/usr/lib64/python3.6/ssl.py\", line
>> 648, in do_handshakeself._sslobj.do_handshake()\nssl.SSLError: [SSL:
>> CERTIFICATE_VERIFY_FAILED certificate verify failed
>>
>> PS : in my globals.yml i have : *kolla_verify_tls_backend: "yes"*
>>
>> Regards.
>>