error "haproxy[]: proxy horizon has no server available!" when internal tls is activated

16 Nov 2021


      Hello,
I try to deploy an overcloud openstack in victoria version.
My configuration to deploy is :
openstack overcloud deploy --templates   -r
/home/stack/templates/roles_data.yaml \
                                         -n /home/stack/network_data.yaml \
                                         -e
/home/stack/templates/scheduler_hints_env.yaml \
                                         -e
/home/stack/templates/network-isolation.yaml \
                                         -e
/home/stack/templates/os-net-config-mapping.yaml \
                                         -e
/home/stack/templates/node-info.yaml \
                                         -e
/home/stack/containers-prepare-parameter.yaml \
                                         -e
/home/stack/templates/host-map.yaml \
                                         -e
/home/stack/templates/ips-from-pool-all.yaml \
                                         -e
/home/stack/templates/network-environment.yaml \
                                         -e
/home/stack/templates/net-multiple-nics-vlans.yaml \
                                         -e
/home/stack/templates/ceph-ansible-external.yaml \
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
\
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-internal-tls-certmonger.yaml
\
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
\
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml
\
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml
\
                                         -e
/usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml
\
                                         -e
/home/stack/templates/tls-parameters.yaml \
                                         -e
/home/stack/templates/inject-trust-anchor.yaml \
The generated configuration of horizon httpd  contains SSLVerifyClient.
But Haproxy fails to check server available, because haproxy does not send
a client certificate when check attempt.
the generated configuration of haproxy backend is :
server host1 ip_host1:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000
rise 2 ssl verify required verifyhost host1
server host2 ip_host2:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000
rise 2 ssl verify required verifyhost host2
server host3 ip_host3:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000
rise 2 ssl verify required verifyhost host3
if i try adding manualy "crt
/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem" in server
configuration in haproxy.conf, horizon/dashboard works via haproxy. But i'm
not sure that's the right way.
Did I forget an environment file in deploy configuration ?
Thank you in advance for your assistance with this.
Best regards
Souppart Alexandre

alex souppart

tags (0)

participants (1)