[Triple0 - Wallaby] Overcloud deployment getting failed with SSL - openstack-discuss

8 Jul 2022

      Hi Team,
We were trying to install overcloud with SSL enabled for which the UC is
installed, but OC install is getting failed at step 4:

ERROR
:nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
"module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
exact error", "rc": 1}
2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
 FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
item={'service_name': 'cinderv3', 'service_type': 'volume'} |
error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
"item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
"cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
available identity versions when contacting
https://[fd00:fd00:fd00:9900::2ef]:13000.
Attempting to parse version from URL.\nTraceback (most recent call last):\n
 File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
600, in urlopen\n    chunked=chunked)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
in _make_request\n    self._validate_conn(conn)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
in _validate_conn\n    conn.connect()\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
connect\n    _match_hostname(cert, self.assert_hostname or
server_hostname)\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
_match_hostname\n    match_hostname(cert, asserted_hostname)\n  File
\"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n    %
(hostname, dnsnames[0]))\nssl.CertificateError: hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
handling of the above exception, another exception occurred:\n\nTraceback
(most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
send\n    timeout=timeout\n  File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
in urlopen\n    _stacktrace=sys.exc_info()[2])\n  File
\"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
increment\n    raise MaxRetryError(_pool, url, error or
ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
in _send_request\n    resp = self.session.request(method, url, **kwargs)\n
 File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
in request\n    resp = self.send(prep, **send_kwargs)\n  File
\"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
send\n    r = adapter.send(request, **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 138, in _do_create_plugin\n    authenticated=False)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
610, in get_discovery\n    authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
in get_discovery\n    disc = Discover(session, url,
authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
in __init__\n    authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
in get_version_data\n    resp = session.get(url, headers=headers,
authenticated=authenticated)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
in get\n    return self.request(url, 'GET', **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
request\n    resp = send(**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
in _send_request\n    raise
exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n  File
\"<stdin>\", line 102, in <module>\n  File \"<stdin>\", line 94, in
_ansiballz_main\n  File \"<stdin>\", line 40, in invoke_module\n  File
\"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return
_run_module_code(code, init_globals, run_name, mod_spec)\n  File
\"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
 mod_name, mod_spec, pkg_name, script_name)\n  File
\"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code,
run_globals)\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 185, in <module>\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 181, in main\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
line 407, in __call__\n  File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 141, in run\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
517, in search_services\n    services = self.list_services()\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
492, in list_services\n    if self._is_client_version('identity', 2):\n
 File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 460, in _is_client_version\n    client = getattr(self, client_name)\n
 File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
line 32, in _identity_client\n    'identity', min_version=2,
max_version='3.latest')\n  File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 407, in _get_versioned_client\n    if adapter.get_endpoint():\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
get_endpoint\n    return self.session.get_endpoint(auth or self.auth,
**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
in get_endpoint\n    return auth.get_endpoint(self, **kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
380, in get_endpoint\n    allow_version_hack=allow_version_hack,
**kwargs)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
271, in get_endpoint_data\n    service_catalog =
self.get_access(session).service_catalog\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
134, in get_access\n    self.auth_ref = self.get_auth_ref(session)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 206, in get_auth_ref\n    self._plugin =
self._do_create_plugin(session)\n  File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 161, in _do_create_plugin\n    'auth_url is correct. %s' %
e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
versioned identity endpoints when attempting to authenticate. Please check
that your auth_url is correct. SSL exception connecting to
https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
"MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.271914 | 2.47s
2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.273659 | 2.47s

PLAY RECAP
*********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=0
   skipped=2    rescued=0    ignored=0
overcloud-controller-0     : ok=437  changed=104  unreachable=0    failed=0
   skipped=214  rescued=0    ignored=0
overcloud-controller-1     : ok=436  changed=101  unreachable=0    failed=0
   skipped=214  rescued=0    ignored=0
overcloud-controller-2     : ok=431  changed=101  unreachable=0    failed=0
   skipped=214  rescued=0    ignored=0
overcloud-novacompute-0    : ok=345  changed=83   unreachable=0    failed=0
   skipped=198  rescued=0    ignored=0
undercloud                 : ok=28   changed=7    unreachable=0    failed=1
   skipped=3    rescued=0    ignored=0
2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks:
1373       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

in the deploy.sh:

openstack overcloud deploy --templates \
    -r /home/stack/templates/roles_data.yaml \
    --networks-file /home/stack/templates/custom_network_data.yaml \
    --vip-file  /home/stack/templates/custom_vip_data.yaml \
    --baremetal-deployment
 /home/stack/templates/overcloud-baremetal-deploy.yaml \
    --network-config \
    -e /home/stack/templates/environment.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
\
    -e /home/stack/templates/ironic-config.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
\
    -e
/usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
    -e /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml
\
    -e /home/stack/containers-prepare-parameter.yaml

Addition lines as highlighted in yellow were passed with modifications:
tls-endpoints-public-ip.yaml:
Passed as is in the defaults.
enable-tls.yaml:

# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable SSL on OpenStack Public Endpoints
# description: |
#   Use this environment to pass in certificates for SSL deployments.
#   For these values to take effect, one of the tls-endpoints-*.yaml
#   environments must also be used.
parameter_defaults:
  # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
  # Type: boolean
  HorizonSecureCookies: True

  # Specifies the default CA cert to use if TLS is used for services in the
public network.
  # Type: string
  PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'

  # The content of the SSL certificate (without Key) in PEM format.
  # Type: string
  SSLRootCertificate: |
    -----BEGIN CERTIFICATE-----
    ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----

  SSLCertificate: |
    -----BEGIN CERTIFICATE-----
     ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----
  # The content of an SSL intermediate CA certificate in PEM format.
  # Type: string
  SSLIntermediateCertificate: ''

  # The content of the SSL Key in PEM format.
  # Type: string
  SSLKey: |
    -----BEGIN PRIVATE KEY-----
     ----*** CERTICATELINES TRIMMED **
    -----END PRIVATE KEY-----

  # ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
  # ******************************************************
  # The filepath of the certificate as it will be stored in the controller.
  # Type: string
  DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem

  # *********************
  # End static parameters
  # *********************

inject-trust-anchor.yaml

# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Inject SSL Trust Anchor on Overcloud Nodes
# description: |
#   When using an SSL certificate signed by a CA that is not in the default
#   list of CAs, this environment allows adding a custom CA certificate to
#   the overcloud nodes.
parameter_defaults:
  # The content of a CA's SSL certificate file in PEM format. This is
evaluated on the client side.
  # Mandatory. This parameter must be set by the user.
  # Type: string
  SSLRootCertificate: |
    -----BEGIN CERTIFICATE-----
   ----*** CERTICATELINES TRIMMED **
    -----END CERTIFICATE-----

resource_registry:
  OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml

The procedure to create such files was followed using:
Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
<https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>

Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
certificate, without DNS. *

Any idea around this error would be of great help.

--
skype: lokendrarathour

[Triple0 - Wallaby] Overcloud deployment getting failed with SSL

Lokendra Rathour

Swogat Pradhan

Brendan Shephard

Lokendra Rathour

Brendan Shephard

Swogat Pradhan

Lokendra Rathour

Lokendra Rathour

Vikarna Tathe

Lokendra Rathour

Vikarna Tathe

Swogat Pradhan

Lokendra Rathour

Brendan Shephard

Lokendra Rathour

Lokendra Rathour

Brendan Shephard

Lokendra Rathour

Lokendra Rathour

Brendan Shephard

Lokendra Rathour

Lokendra Rathour

tags

participants (4)