[magnum] podman fedora-coreos authorization failed: SSL exception connecting on keystone
Hello guys,
I'm trying to deploy a kubernetes cluster using magnum 9.2 with fedora-coreos-31.20200113.3.1-openstack.
Master vm is deployed correctly but the cluster is never deployed since podman returns the following error:
Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]: Authorization failed: SSL exception connecting to https://api.mydomain.cloud:5000/v3/auth/tokens: HTTPSConnectionPool(host='api.mydomain.cloud', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(185090184, u'[X509] no certificate or crl found (_ssl.c:3063)'),))
I do have a valid letsencrypt certification on that particular domain.
curl https://api.mydomain.cloud:5000/v3/auth/tokens {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
I was wondering, do you guys seen this issue before? Below is the template.
Hi Ionut,
Would you mind sharing your magnum.conf? I think you may need the *cafile* config option for both *keystone_authtoken* and *keystone_auth.*
On 22/01/20 11:01 AM, Ionut Biru wrote:
Hello guys,
I'm trying to deploy a kubernetes cluster using magnum 9.2 with fedora-coreos-31.20200113.3.1-openstack.
Master vm is deployed correctly but the cluster is never deployed since podman returns the following error:
Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]: Authorization failed: SSL exception connecting to https://api.mydomain.cloud:5000/v3/auth/tokens:%C2%A0HTTPSConnectionPool(hos...', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(185090184, u'[X509] no certificate or crl found (_ssl.c:3063)'),))
I do have a valid letsencrypt certification on that particular domain.
curl https://api.mydomain.cloud:5000/v3/auth/tokens {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
I was wondering, do you guys seen this issue before? Below is the template.
https://paste.xinu.at/OC0Ic/
Ionut Biru - https://fleio.com
Hello,
I don't have cafile configured in keystone_authtoken and keystone_auth. I did copied letsencrypt cafile and configured it but now magnum cannot communicate with keystone even at simple as coe cluster list.
CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Could not find versioned identity endpoints when attempting to authenticate. (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify ies exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)
On Wed, Jan 22, 2020 at 3:02 AM Feilong Wang feilong@catalyst.net.nz wrote:
Hi Ionut,
Would you mind sharing your magnum.conf? I think you may need the *cafile* config option for both *keystone_authtoken* and *keystone_auth.*
On 22/01/20 11:01 AM, Ionut Biru wrote:
Hello guys,
I'm trying to deploy a kubernetes cluster using magnum 9.2 with fedora-coreos-31.20200113.3.1-openstack.
Master vm is deployed correctly but the cluster is never deployed since podman returns the following error:
Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]: Authorization failed: SSL exception connecting to https://api.mydomain.cloud:5000/v3/auth/tokens: HTTPSConnectionPool(host='api.mydomain.cloud', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(185090184, u'[X509] no certificate or crl found (_ssl.c:3063)'),))
I do have a valid letsencrypt certification on that particular domain.
curl https://api.mydomain.cloud:5000/v3/auth/tokens {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
I was wondering, do you guys seen this issue before? Below is the template.
https://paste.xinu.at/OC0Ic/
Ionut Biru - https://fleio.com
-- Cheers & Best regards, Feilong Wang (王飞龙) Head of R&D Catalyst Cloud - Cloud Native New Zealand
Tel: +64-48032246 Email: flwang@catalyst.net.nz Level 6, Catalyst House, 150 Willis Street, Wellington
Hello,
I've deployed the same kubernetes version on fedora-atomic but with use_podman=true and worked flawless. Maybe is an issue with fedora-coreos?
On Wed, Jan 22, 2020 at 9:53 AM Ionut Biru ionut@fleio.com wrote:
Hello,
I don't have cafile configured in keystone_authtoken and keystone_auth. I did copied letsencrypt cafile and configured it but now magnum cannot communicate with keystone even at simple as coe cluster list.
CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Could not find versioned identity endpoints when attempting to authenticate. (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify ies exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)
On Wed, Jan 22, 2020 at 3:02 AM Feilong Wang feilong@catalyst.net.nz wrote:
Hi Ionut,
Would you mind sharing your magnum.conf? I think you may need the *cafile* config option for both *keystone_authtoken* and *keystone_auth.*
On 22/01/20 11:01 AM, Ionut Biru wrote:
Hello guys,
I'm trying to deploy a kubernetes cluster using magnum 9.2 with fedora-coreos-31.20200113.3.1-openstack.
Master vm is deployed correctly but the cluster is never deployed since podman returns the following error:
Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]: Authorization failed: SSL exception connecting to https://api.mydomain.cloud:5000/v3/auth/tokens: HTTPSConnectionPool(host='api.mydomain.cloud', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(185090184, u'[X509] no certificate or crl found (_ssl.c:3063)'),))
I do have a valid letsencrypt certification on that particular domain.
curl https://api.mydomain.cloud:5000/v3/auth/tokens {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
I was wondering, do you guys seen this issue before? Below is the template.
https://paste.xinu.at/OC0Ic/
Ionut Biru - https://fleio.com
-- Cheers & Best regards, Feilong Wang (王飞龙) Head of R&D Catalyst Cloud - Cloud Native New Zealand
Tel: +64-48032246 Email: flwang@catalyst.net.nz Level 6, Catalyst House, 150 Willis Street, Wellington
-- Ionut Biru - https://fleio.com
Hi,
I found the difference between the two. On fedora-coreos inside the heat container that is ran by podman REQUESTS_CA_BUNDLE has the value /etc/pki/ca-trust/source/anchors/openstack-ca.pem which is empty. On fedora-atomic the var has the value /etc/pki/tls/certs/ca-bundle.crt
On Wed, Jan 22, 2020 at 3:14 PM Ionut Biru ionut@fleio.com wrote:
Hello,
I've deployed the same kubernetes version on fedora-atomic but with use_podman=true and worked flawless. Maybe is an issue with fedora-coreos?
On Wed, Jan 22, 2020 at 9:53 AM Ionut Biru ionut@fleio.com wrote:
Hello,
I don't have cafile configured in keystone_authtoken and keystone_auth. I did copied letsencrypt cafile and configured it but now magnum cannot communicate with keystone even at simple as coe cluster list.
CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Could not find versioned identity endpoints when attempting to authenticate. (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify ies exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)
On Wed, Jan 22, 2020 at 3:02 AM Feilong Wang feilong@catalyst.net.nz wrote:
Hi Ionut,
Would you mind sharing your magnum.conf? I think you may need the *cafile* config option for both *keystone_authtoken* and *keystone_auth.*
On 22/01/20 11:01 AM, Ionut Biru wrote:
Hello guys,
I'm trying to deploy a kubernetes cluster using magnum 9.2 with fedora-coreos-31.20200113.3.1-openstack.
Master vm is deployed correctly but the cluster is never deployed since podman returns the following error:
Jan 21 21:55:14 k8s-cluster002-mn5qgp6qlmw6-master-0 podman[2433]: Authorization failed: SSL exception connecting to https://api.mydomain.cloud:5000/v3/auth/tokens: HTTPSConnectionPool(host='api.mydomain.cloud', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(185090184, u'[X509] no certificate or crl found (_ssl.c:3063)'),))
I do have a valid letsencrypt certification on that particular domain.
curl https://api.mydomain.cloud:5000/v3/auth/tokens {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
I was wondering, do you guys seen this issue before? Below is the template.
https://paste.xinu.at/OC0Ic/
Ionut Biru - https://fleio.com
-- Cheers & Best regards, Feilong Wang (王飞龙) Head of R&D Catalyst Cloud - Cloud Native New Zealand
Tel: +64-48032246 Email: flwang@catalyst.net.nz Level 6, Catalyst House, 150 Willis Street, Wellington
-- Ionut Biru - https://fleio.com
-- Ionut Biru - https://fleio.com
participants (2)
-
Feilong Wang
-
Ionut Biru