New subject: AW: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert

22 Oct 2023

      Hi,

From the beginning I had kolla_verify_tls_backend: "no" in globals.yml

The weird thing is that the openstack cli works fine.
I even created a new user with admin role, I get the same behavior.
Horizon does not connect, the cli works.

I activated the debug mode on keystone
[root@rscdeployer ~]# cat /etc/yogakolla/config/keystone.conf
[DEFAULT]
debug = True
insecure_debug= True

But nothing in the log file, when I try to login via horizon, I don't get
anything on keystone.log.

I tested with a wrong password to see the behavior of the platform, and
this is what I got on keystone.log :

- Openstack CLI with wrong pass, I got : 2023-10-22 13:51:02.344 43 WARNING
keystone.server.flask.application [req-73100d88-8357-42ce-8865-e36c34a9bfa9
- - - - -] Authorization failed. The request you have made requires
authentication. from 10.10.3.16: keystone.exception.Unauthorized: The
request you have made requires authentication.

- Openstack Horizon with wrong pass, I got : Nothing

How can I follow up this, how can I be sure that it's not a horizon problem
or something else?

Regards.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Le mer. 18 oct. 2023 à 13:17, Kaster, Jörn <Joern.Kaster@epg.com> a écrit :
...
Hi wodel,
nice to hear that the patch helps you.
With the keystone problem i can't help, but i think the certs are correct.
Two thoughts about that.
- If you have in the respective configurations of the OpenStack
   Services the IP address instead of any DNS Name configured (here is this
   the case) then the certificates don't need the dns name in it.
   - Could you please look for any error Messages in the keystone logs
   and also check if you can establish a connection to the keystone on the
   mentioned port with openssl s_client. If so, it could be possible that you
   have to disable the certificate verification in the deployment.
------------------------------
*Von:* wodel youchi <wodel.youchi@gmail.com>
*Gesendet:* Mittwoch, 18. Oktober 2023 11:55
*An:* Kaster, Jörn <Joern.Kaster@epg.com>
*Cc:* OpenStack Discuss <openstack-discuss@lists.openstack.org>
*Betreff:* Re: [kolla-ansible][yoga] Cannot authenticate to openstack
after deploying self-signed cert
OUTSIDE-EPG!
Thanks Jörn, it worked for cloudkitty, after applying the patch the
deployment went well. But :
- I still can't access the web console : An error occurred authenticating.
Please try again later.
- in cloudkitty-processor.log I am still having :
2023-10-18 10:46:25.271 8106 WARNING keystoneauth.identity.generic.base
[-] Failed to discover available identity versions when contacting
https://dinternal.cloud.domain.tld:35357. Attempting to parse version
from URL.: keystoneauth1.exceptions.connection.SSLError: SSL exception
connecting to https:// dinternal.cloud.domain.tld :35357:
HTTPSConnectionPool(host=' dinternal.cloud.domain.tld ', port=35357): Max
retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
When generating the self-signed certificate, I noticed that the process
had generated :
- two haproxy certificates, one for the internet with the external FQDN
and the second for internal communication with the local internal FQDN.
- It also generated a backend certificate, that contains only the IP
addresses of the 03 controllers as Subject Alternate Names without any
mention of the domain I am using, is this correct?
[root@rscdeployer ~]# openssl x509 -noout -text -in
/etc/yogakolla/certificates/backend-cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1c:66:7e:37:85:cf:ca:1c:da:42:f6:f1:1f:dc:1e:97.....
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = KollaTestCA
        Validity
            Not Before: Oct 17 15:04:26 2023 GMT
            Not After : Oct 15 15:04:26 2025 GMT
        Subject: C = US, ST = NC, L = RTP, OU = kolla
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
              .....
              .....
              e6:23:a4:7f:30:74:ac:0c:2d:22:00:95:b6:ab:20:
                    98:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
*X509v3 Subject Alternative Name:                 IP Address:10.10.3.5, IP
Address:10.10.3.9, IP Address:10.10.3.13*
    Signature Algorithm: sha256WithRSAEncryption
         36:86:cb:b4:9a:fe:33:0d:ff:af:87:5e:00:9d:69:4e:32:21:
Regards.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#m_-6993449584919071302_x_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Le mer. 18 oct. 2023 à 07:12, Kaster, Jörn <Joern.Kaster@epg.com> a
écrit :
Hello wodel,
the problem with cloudkitty deployment with self signed certs could
resolve to the following bugreport [1].
[1] https://bugs.launchpad.net/kolla-ansible/+bug/1998831
Bug #1998831 “CloudKitty bootstrap fails when using internal TLS...” :
Bugs : kolla-ansible
<https://bugs.launchpad.net/kolla-ansible/+bug/1998831>
When InfluxDB is behind HAProxy's internal TLS, CloudKitty fails to
bootstrap its InfluxDB database with the following error: TASK [cloudkitty
: Creating Cloudkitty influxdb database]
***************************************************************************************************************************
fatal: [controller01 -> controller01]: FAILED! => changed=false   action:
influxdb_database   msg: ('Connection aborted.', RemoteDisconnected('Remote
end closed connection without response...
bugs.launchpad.net
------------------------------
*Von:* wodel youchi <wodel.youchi@gmail.com>
*Gesendet:* Mittwoch, 18. Oktober 2023 01:33
*An:* OpenStack Discuss <openstack-discuss@lists.openstack.org>
*Betreff:* [kolla-ansible][yoga] Cannot authenticate to openstack after
deploying self-signed cert
OUTSIDE-EPG!
Hi,
Our ssl certificate expired a couple of days ago, and we started
experiencing failed login, to workaround the problem rapidly we decided to
deploy the self-signed certificates generated by kolla.
We generated the certificates then we did a reconfigure, but still the
problem remains : An error occurred authenticating. Please try again later.
on horizon.log we have :
[Wed Oct 18 00:25:55.379383 2023] [wsgi:error] [pid 103:tid
140182314505984] [remote 10.10.3.5:40848] Login failed for user "admin"
using domain "default", remote address 10.10.3.5
The openstack command line works fine.
How can we debug this?
The second problem we have is with cloudkitty that refuses to reconfigure
with the generated self-signed certificate, we had to ignore it from the
reconfiguration process by putting the cloudkitty variable to no before
restarting the reconfigure process.
How can we debug this?
Regards.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#m_-6993449584919071302_x_m_9147058937014271290_x_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: [kolla-ansible][yoga] Cannot authenticate to openstack after deploying self-signed cert

wodel youchi

Kaster, Jörn

wodel youchi

wodel youchi

Kaster, Jörn

tags

participants (2)