Hi,

From the beginning I had kolla_verify_tls_backend: "no" in globals.yml

The weird thing is that the openstack cli works fine.
I even created a new user with admin role, I get the same behavior.
Horizon does not connect, the cli works.

I activated the debug mode on keystone
[root@rscdeployer ~]# cat /etc/yogakolla/config/keystone.conf
[DEFAULT]
debug = True
insecure_debug= True

But nothing in the log file, when I try to login via horizon, I don't get anything on keystone.log.


I tested with a wrong password to see the behavior of the platform, and this is what I got on keystone.log :

- Openstack CLI with wrong pass, I got : 2023-10-22 13:51:02.344 43 WARNING keystone.server.flask.application [req-73100d88-8357-42ce-8865-e36c34a9bfa9 - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.3.16: keystone.exception.Unauthorized: The request you have made requires authentication.

- Openstack Horizon with wrong pass, I got : Nothing

How can I follow up this, how can I be sure that it's not a horizon problem or something else?

Regards.

Virus-free.www.avast.com

Le mer. 18 oct. 2023 à 13:17, Kaster, Jörn <Joern.Kaster@epg.com> a écrit :
Hi wodel,
nice to hear that the patch helps you.

With the keystone problem i can't help, but i think the certs are correct.
Two thoughts about that.
  • If you have in the respective configurations of the OpenStack Services the IP address instead of any DNS Name configured (here is this the case) then the certificates don't need the dns name in it.
  • Could you please look for any error Messages in the keystone logs and also check if you can establish a connection to the keystone on the mentioned port with openssl s_client. If so, it could be possible that you have to disable the certificate verification in the deployment.

Von: wodel youchi <wodel.youchi@gmail.com>
Gesendet: Mittwoch, 18. Oktober 2023 11:55
An: Kaster, Jörn <Joern.Kaster@epg.com>
Cc: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Betreff: Re: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert
 

OUTSIDE-EPG!

Thanks Jörn, it worked for cloudkitty, after applying the patch the deployment went well. But :

- I still can't access the web console : An error occurred authenticating. Please try again later.

- in cloudkitty-processor.log I am still having :
2023-10-18 10:46:25.271 8106 WARNING keystoneauth.identity.generic.base [-] Failed to discover available identity versions when contacting https://dinternal.cloud.domain.tld:35357. Attempting to parse version from URL.: keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https:// dinternal.cloud.domain.tld :35357: HTTPSConnectionPool(host=' dinternal.cloud.domain.tld ', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))


When generating the self-signed certificate, I noticed that the process had generated :
- two haproxy certificates, one for the internet with the external FQDN and the second for internal communication with the local internal FQDN.

- It also generated a backend certificate, that contains only the IP addresses of the 03 controllers as Subject Alternate Names without any mention of the domain I am using, is this correct?

[root@rscdeployer ~]# openssl x509 -noout -text -in /etc/yogakolla/certificates/backend-cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1c:66:7e:37:85:cf:ca:1c:da:42:f6:f1:1f:dc:1e:97.....
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = KollaTestCA
        Validity
            Not Before: Oct 17 15:04:26 2023 GMT
            Not After : Oct 15 15:04:26 2025 GMT
        Subject: C = US, ST = NC, L = RTP, OU = kolla
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
              .....
              .....
              e6:23:a4:7f:30:74:ac:0c:2d:22:00:95:b6:ab:20:
                    98:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.10.3.5, IP Address:10.10.3.9, IP Address:10.10.3.13
    Signature Algorithm: sha256WithRSAEncryption
         36:86:cb:b4:9a:fe:33:0d:ff:af:87:5e:00:9d:69:4e:32:21:


Regards.

Virus-free.www.avast.com

Le mer. 18 oct. 2023 à 07:12, Kaster, Jörn <Joern.Kaster@epg.com> a écrit :
Hello wodel,
the problem with cloudkitty deployment with self signed certs could resolve to the following bugreport [1].



Von: wodel youchi <wodel.youchi@gmail.com>
Gesendet: Mittwoch, 18. Oktober 2023 01:33
An: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Betreff: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert
 

OUTSIDE-EPG!

Hi,

Our ssl certificate expired a couple of days ago, and we started experiencing failed login, to workaround the problem rapidly we decided to deploy the self-signed certificates generated by kolla.

We generated the certificates then we did a reconfigure, but still the problem remains : An error occurred authenticating. Please try again later.

on horizon.log we have : 
[Wed Oct 18 00:25:55.379383 2023] [wsgi:error] [pid 103:tid 140182314505984] [remote 10.10.3.5:40848] Login failed for user "admin" using domain "default", remote address 10.10.3.5

The openstack command line works fine.

How can we debug this?

The second problem we have is with cloudkitty that refuses to reconfigure with the generated self-signed certificate, we had to ignore it from the reconfiguration process by putting the cloudkitty variable to no before restarting the reconfigure process.

How can we debug this?




Regards.

Virus-free.www.avast.com