[kolla] Magnum K8s cluster creation time out due to "Failed to contact endpoint at https ... certificate verify failed" error in magnum-conductor

Giuseppe Sannino km.giuseppesannino at gmail.com
Mon Feb 4 14:25:22 UTC 2019 

Hi all,
this is my first post on this mailing list especially for "kolla" related
issues.
Hope you can help and hope this is the right channel to reuqest support.

I have a problem with Magnum during the creation of a K8S cluster.
The request gets timed out.

Looking at the magnum-conductor logs I can see:

 Failed to contact the endpoint at https://<External IP>:5000 for
discovery. Fallback to using that endpoint as the base url.: SSLError: SSL
exception connecting to https:// <External IP>  :5000:
HTTPSConnectionPool(host=' <External IP>  ', port=5000): Max retries
exceeded with url: / (Caused by SSLError(SSLError("bad handshake:
Error([('SSL routines', 'tls_process_server_certificate', 'certificate
verify failed')],)",),))

I had a similar issue with Kuryr. the service is trying to contact keystone
over the external IP address without certificates.

In kuryr, the workaround was to set the "endpoint_type" for neutron to
"internal".

In magnum.conf that's already the situation.

Any suggestion on how to address this issue ?

Here you can find some details about the deployment:
---------------------------
Host nodes: Baremetal
OS: Queens
kolla-ansible: 6.1.0
Deployment: multinode (1+1). Kolla installed on the controller host
kolla_install_type: source
kolla_base_distro: ubuntu
External/internal interfaces: separated
kolla_enable_tls_external: "yes"
Services:
enable_cinder: "yes"
enable_cinder_backend_lvm: "yes"
enable_etcd: "yes"
enable_fluentd: "yes"
enable_haproxy: "yes"
enable_heat: "yes"
enable_horizon: "yes"
enable_horizon_magnum: "{{ enable_magnum | bool }}"
enable_horizon_zun: "{{ enable_zun | bool }}"
enable_kuryr: "yes"
enable_magnum: "yes"
enable_openvswitch: "{{ neutron_plugin_agent != 'linuxbridge' }}"
enable_zun: "yes"
glance_backend_file: "yes"
nova_compute_virt_type: "qemu"
---------------------------

BR and many thanks in advance

/Giuseppe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190204/00e925cc/attachment.html>

More information about the openstack-discuss mailing list