[CentOS7][train][tripleo]undercloud self-signed certificate expired
Hi all. I got undercloud certificate expired and cannot find the best procedure to update the certificate. Do you have any link to Read The Following Material/Manual? I cannot find anything useful. As "openstack undercloud install|upgrade --force-stack-update" fails at step below: "logical_resource_id": "undercloud", "resource_status_reason": "Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]} -- Ruslanas Gžibovskis +370 6030 7030
On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Hi all.
I got undercloud certificate expired and cannot find the best procedure to update the certificate. Do you have any link to Read The Following Material/Manual?
Did you see this? https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features... John
I cannot find anything useful. As "openstack undercloud install|upgrade --force-stack-update" fails at step below:
"logical_resource_id": "undercloud", "resource_status_reason": "Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
-- Ruslanas Gžibovskis +370 6030 7030
Yes, sorry, I was very very unclear. I use: certificate_generation_ca = local I even saw that cert itself should auto-update/refresh. But there was a bug using autorefresh, I have just updated and rebooted the system. even I found very nice and curious script: /bin/certmonger-haproxy-refresh.sh Executed and reexecuted some things manually with the cert which should work: # /bin/certmonger-haproxy-refresh.sh reload external # with some additional outputs below: /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a # openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid # podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem # podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem -rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935 /etc/pki/tls/private/overcloud_endpoint.pem # podman kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a NO luck... sourced stackrc and executed cmd returns: #openstack server list Failed to discover available identity versions when contacting https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL. Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://10.196.106.254:13000: HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),)) Inside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT outside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT # JUST NOW thinking, is it a different error? I do not get how it was working and stopped working at the date when prev cert expires... even after reboot it should work... reload with new cert. right? By the way certmonger looks like this: ----- # getcert list Number of certificates and requests being tracked: 1. Request ID 'haproxy-external-cert': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key' certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt' CA: local issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing Authority subject: CN=UNDERCLOUD_LOCAL_IP expires: 2021-10-07 08:23:06 UTC eku: id-kp-clientAuth,id-kp-serverAuth pre-save command: post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external track: yes auto-renew: yes On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto@redhat.com> wrote:
On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Hi all.
I got undercloud certificate expired and cannot find the best procedure
to update the certificate. Do you have any link to Read The Following Material/Manual?
Did you see this?
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features...
John
I cannot find anything useful. As "openstack undercloud install|upgrade
--force-stack-update" fails at step below:
"logical_resource_id": "undercloud", "resource_status_reason": "Resource
CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
Ok, pardon me, $ openssl x509 -noout -in ruslanas/openssl_s_client -startdate -enddate notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT I did openssl s_client into undercloud 13000 port, YES, cert is extended. what is not working, CA? did CA cert expired? Yup, looks so. $ openssl x509 -noout -startdate -enddate -in first_cert # First cert from /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT $ openssl x509 -noout -startdate -enddate -in second_cert # Second cert from /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Feb 13 13:09:29 2020 GMT notAfter=Feb 13 13:09:29 2021 GMT $ that generated CA cert got expired. am I right? should that be rotated/refreshed by certmanager also? Thank you. On Tue, 16 Feb 2021 at 19:57, Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Yes, sorry, I was very very unclear. I use: certificate_generation_ca = local
I even saw that cert itself should auto-update/refresh. But there was a bug using autorefresh, I have just updated and rebooted the system.
even I found very nice and curious script: /bin/certmonger-haproxy-refresh.sh Executed and reexecuted some things manually with the cert which should work: # /bin/certmonger-haproxy-refresh.sh reload external # with some additional outputs below: /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
# openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid
# podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem # podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem -rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935 /etc/pki/tls/private/overcloud_endpoint.pem # podman kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
NO luck... sourced stackrc and executed cmd returns: #openstack server list Failed to discover available identity versions when contacting https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL. Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://10.196.106.254:13000: HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))
Inside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT
outside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT #
JUST NOW thinking, is it a different error? I do not get how it was working and stopped working at the date when prev cert expires... even after reboot it should work... reload with new cert. right?
By the way certmonger looks like this: ----- # getcert list Number of certificates and requests being tracked: 1. Request ID 'haproxy-external-cert': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key' certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt' CA: local issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing Authority subject: CN=UNDERCLOUD_LOCAL_IP expires: 2021-10-07 08:23:06 UTC eku: id-kp-clientAuth,id-kp-serverAuth pre-save command: post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external track: yes auto-renew: yes
On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto@redhat.com> wrote:
On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Hi all.
I got undercloud certificate expired and cannot find the best procedure
to update the certificate. Do you have any link to Read The Following Material/Manual?
Did you see this?
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features...
John
I cannot find anything useful. As "openstack undercloud install|upgrade
--force-stack-update" fails at step below:
"logical_resource_id": "undercloud", "resource_status_reason":
"Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
does anyone has any idea for undercloud self-signed "certificate_generation_ca = local" update of expired undercloud self-signed CA cert. I have issue, that undercloud deployment/upgrade do not work, might be due to already expired CA cert or something else, due to update is happening a year after deployment. should I just update haproxy used file with a new self-signed generated cert without CA? should it work? We do not use overcloud there, we just use undercloud API and ironic to provision some equipment. thank you. On Tue, 16 Feb 2021 at 20:17, Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Ok, pardon me,
$ openssl x509 -noout -in ruslanas/openssl_s_client -startdate -enddate notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT
I did openssl s_client into undercloud 13000 port, YES, cert is extended. what is not working, CA? did CA cert expired?
Yup, looks so.
$ openssl x509 -noout -startdate -enddate -in first_cert # First cert from /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT $ openssl x509 -noout -startdate -enddate -in second_cert # Second cert from /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Feb 13 13:09:29 2020 GMT notAfter=Feb 13 13:09:29 2021 GMT $
that generated CA cert got expired. am I right? should that be rotated/refreshed by certmanager also?
Thank you.
On Tue, 16 Feb 2021 at 19:57, Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Yes, sorry, I was very very unclear. I use: certificate_generation_ca = local
I even saw that cert itself should auto-update/refresh. But there was a bug using autorefresh, I have just updated and rebooted the system.
even I found very nice and curious script: /bin/certmonger-haproxy-refresh.sh Executed and reexecuted some things manually with the cert which should work: # /bin/certmonger-haproxy-refresh.sh reload external # with some additional outputs below: /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
# openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid
# podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem # podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem -rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935 /etc/pki/tls/private/overcloud_endpoint.pem # podman kill --signal HUP haproxy e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
NO luck... sourced stackrc and executed cmd returns: #openstack server list Failed to discover available identity versions when contacting https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL. Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://10.196.106.254:13000: HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))
Inside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT
outside container: # openssl x509 -noout -startdate -enddate -in /etc/pki/tls/private/overcloud_endpoint.pem notBefore=Jan 17 06:29:02 2021 GMT notAfter=Oct 7 08:23:06 2021 GMT #
JUST NOW thinking, is it a different error? I do not get how it was working and stopped working at the date when prev cert expires... even after reboot it should work... reload with new cert. right?
By the way certmonger looks like this: ----- # getcert list Number of certificates and requests being tracked: 1. Request ID 'haproxy-external-cert': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key' certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt' CA: local issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing Authority subject: CN=UNDERCLOUD_LOCAL_IP expires: 2021-10-07 08:23:06 UTC eku: id-kp-clientAuth,id-kp-serverAuth pre-save command: post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external track: yes auto-renew: yes
On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto@redhat.com> wrote:
On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas@lpic.lt> wrote:
Hi all.
I got undercloud certificate expired and cannot find the best
procedure to update the certificate. Do you have any link to Read The Following Material/Manual?
Did you see this?
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features...
John
I cannot find anything useful. As "openstack undercloud
install|upgrade --force-stack-update" fails at step below:
"logical_resource_id": "undercloud", "resource_status_reason":
"Resource CREATE failed: StackValidationFailed: resources.UndercloudServiceChain.resources.ServiceChain: Property error: ServiceChain.resources[18].properties: Property RootStackName not assigned", "resource_status": "CREATE_FAILED", "physical_resource_id": "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id": "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
does anyone know, *systemctl disable certmonger* will stop updates of cert? as I generated one for a bit longer then Feb of 2020 :)
participants (2)
-
John Fulton
-
Ruslanas Gžibovskis