does anyone has any idea for undercloud self-signed "certificate_generation_ca = local" update of expired undercloud self-signed CA cert.
I have issue, that undercloud deployment/upgrade do not work, might be due to already expired CA cert or something else, due to update is happening a year after deployment.

should I just update haproxy used file with a new self-signed generated cert without CA? should it work?
We do not use overcloud there, we just use undercloud API and ironic to provision some equipment.

thank you.

On Tue, 16 Feb 2021 at 20:17, Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Ok, pardon me,

$ openssl x509 -noout -in ruslanas/openssl_s_client -startdate -enddate
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT

I did openssl s_client into undercloud 13000 port, YES, cert is extended. what is not working, CA? did CA cert expired?

Yup, looks so.

$ openssl x509 -noout -startdate -enddate -in first_cert # First cert from /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT
$ openssl x509 -noout -startdate -enddate -in second_cert # Second cert from /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Feb 13 13:09:29 2020 GMT
notAfter=Feb 13 13:09:29 2021 GMT
$

that generated CA cert got expired. am I right?
should that be rotated/refreshed by certmanager also?

Thank you.

On Tue, 16 Feb 2021 at 19:57, Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Yes, sorry, I was very very unclear.
I use:
certificate_generation_ca = local

I even saw that cert itself should auto-update/refresh.
But there was a bug using autorefresh, I have just updated and rebooted the system.

even I found very nice and curious script: /bin/certmonger-haproxy-refresh.sh
Executed and reexecuted some things manually with the cert which should work:
# /bin/certmonger-haproxy-refresh.sh reload external # with some additional outputs below:
/etc/pki/tls/private/overcloud_endpoint.pem
exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem
exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem
kill --signal HUP haproxy
e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a

# openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid

# podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem
# podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem
-rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935 /etc/pki/tls/private/overcloud_endpoint.pem
# podman kill --signal HUP haproxy
e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a

NO luck... 
sourced stackrc and executed cmd returns: 
#openstack server list
Failed to discover available identity versions when contacting https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://10.196.106.254:13000: HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))

Inside container:
# openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT

outside container:
# openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT
#

JUST NOW thinking, is it a different error? I do not get how it was working and stopped working at the date when prev cert expires... even after reboot it should work... reload with new cert. right?

By the way certmonger looks like this:
-----
# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'haproxy-external-cert':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
        CA: local
        issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing Authority
        subject: CN=UNDERCLOUD_LOCAL_IP
        expires: 2021-10-07 08:23:06 UTC
        eku: id-kp-clientAuth,id-kp-serverAuth
        pre-save command:
        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external
        track: yes
        auto-renew: yes


On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto@redhat.com> wrote:
On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
>
> Hi all.
>
> I got undercloud certificate expired and cannot find the best procedure to update the certificate. Do you have any link to Read The Following Material/Manual?

Did you see this?

 https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html

  John

>
> I cannot find anything useful. As "openstack undercloud install|upgrade --force-stack-update" fails at step below:
>
> "logical_resource_id": "undercloud", "resource_status_reason": "Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
>
> --
> Ruslanas Gžibovskis
> +370 6030 7030



--
Ruslanas Gžibovskis
+370 6030 7030


--
Ruslanas Gžibovskis
+370 6030 7030


--
Ruslanas Gžibovskis
+370 6030 7030