Octavia: Could not retrieve certificate when create HTTPS listener using application credentials
Pawel Konczalski
pawel.konczalski at everyware.ch
Fri Jul 19 14:48:44 UTC 2019
Hi,
i try to create a Octavia HTTPS listener by using application
credentials but get this error:
Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']
(HTTP 400) (Request-ID: req-088d6eb0-a285-4089-bc11-ff0c3097123e)
# openstack secret list
+--------------------------------------------------------------------------------------+-------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href | Name | Created | Status | Content
types | Algorithm | Bit length | Secret type
| Mode | Expiration |
+--------------------------------------------------------------------------------------+-------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
|
https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35
| cert2 | 2019-07-19T13:42:21+00:00 | ACTIVE | {u'default':
u'application/octet-stream'} | aes | 256 | opaque |
cbc | None |
|
https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09
| cert1 | 2019-07-19T13:42:12+00:00 | ACTIVE | {u'default':
u'application/octet-stream'} | aes | 256 | opaque |
cbc | None |
+--------------------------------------------------------------------------------------+-------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
# openstack loadbalancer listener create foo-lb1 \
--name foo-lb1-https-listener \
--protocol-port 443 \
--protocol TERMINATED_HTTPS \
--insert-headers X-Forwarded-For=true,X-Forwarded-Proto=true \
--default-tls-container=https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09
\
--sni-container-refs
https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09
https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35
--------------------------------
Starting new HTTPS connection (1): octavia.service.dev.example.com:443
https://octavia.service.dev.example.com:443 "GET
/v2.0/lbaas/loadbalancers HTTP/1.1" 200 779
RESP: [200] Connection: keep-alive Content-Length: 779 Content-Type:
application/json Date: Fri, 19 Jul 2019 13:56:24 GMT Server:
WSGIServer/0.1 Python/2.7.15rc1 x-openstack-request-id:
req-50b5a3bb-21ec-4a46-8d5c-61035afd3423
RESP BODY: {"loadbalancers": [{"provider": "amphora", "description": "",
"admin_state_up": true, "pools": [{"id":
"169722d1-0a73-4283-bb42-aee5b662e2e2"}], "created_at":
"2019-07-19T13:34:52", "provisioning_status": "ACTIVE", "updated_at":
"2019-07-19T13:39:34", "vip_qos_policy_id": null, "vip_network_id":
"2064c61c-64a1-466f-983a-af435ae1d51c", "listeners": [{"id":
"169a91f9-ef5c-4d38-8449-e24b64cf082d"}], "tenant_id":
"9646533a8d834978a868e81c9b9a39cf", "vip_port_id":
"dcfc6e44-4092-4f2b-bd50-24e02abb078f", "flavor_id": "", "vip_address":
"10.0.1.4", "vip_subnet_id": "787035dc-add4-4227-844a-1cf803625abc",
"project_id": "9646533a8d834978a868e81c9b9a39cf", "id":
"e2ed48ab-3261-422f-b9b5-a5aa63486ae7", "operating_status": "OFFLINE",
"name": "foo-lb1"}], "loadbalancers_links": []}
GET call to
https://octavia.service.dev.example.com/v2.0/lbaas/loadbalancers used
request id req-50b5a3bb-21ec-4a46-8d5c-61035afd3423
REQ: curl -g -i -X POST
https://octavia.service.dev.example.com/v2.0/lbaas/listeners -H
"Content-Type: application/json" -H "User-Agent: openstacksdk/0.19.0
keystoneauth1/3.11.1 python-requests/2.20.1 CPython/2.7.15+" -H
"X-Auth-Token:
{SHA256}6414e14f4e78940902b11c89567689e3cc0d3ea62227b87a1e19361685c83584"
-d '{"listener": {"insert_headers": {"X-Forwarded-For": "true",
"X-Forwarded-Proto": "true"}, "protocol": "TERMINATED_HTTPS", "name":
"foo-lb1-https-listener", "default_tls_container_ref":
"https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09",
"sni_container_refs":
["https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09",
"https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35"],
"admin_state_up": true, "protocol_port": 443, "loadbalancer_id":
"e2ed48ab-3261-422f-b9b5-a5aa63486ae7"}}'
https://octavia.service.dev.example.com:443 "POST /v2.0/lbaas/listeners
HTTP/1.1" 400 357
RESP: [400] Connection: keep-alive Content-Length: 357 Content-Type:
application/json Date: Fri, 19 Jul 2019 13:56:27 GMT Server:
WSGIServer/0.1 Python/2.7.15rc1 x-openstack-request-id:
req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca
RESP BODY: {"debuginfo": null, "faultcode": "Client", "faultstring":
"Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']"}
POST call to
https://octavia.service.dev.example.com/v2.0/lbaas/listeners used
request id req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca
Request returned failure status: 400
Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']
(HTTP 400) (Request-ID: req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 400, in
run_subcommand
result = cmd.run(parsed_args)
File
"/home/foo/.local/lib/python2.7/site-packages/osc_lib/command/command.py",
line 41, in run
return super(Command, self).run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 116,
in run
column_names, data = self.take_action(parsed_args)
File
"/home/foo/.local/lib/python2.7/site-packages/octaviaclient/osc/v2/listener.py",
line 168, in take_action
json=body)
File
"/home/foo/.local/lib/python2.7/site-packages/octaviaclient/api/v2/octavia.py",
line 38, in wrapper
request_id=e.request_id)
OctaviaClientException: Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']
(HTTP 400) (Request-ID: req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca)
clean_up CreateListener: Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']
(HTTP 400) (Request-ID: req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca)
Traceback (most recent call last):
File "/home/foo/.local/lib/python2.7/site-packages/osc_lib/shell.py",
line 136, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 279, in run
result = self.run_subcommand(remainder)
File "/home/foo/.local/lib/python2.7/site-packages/osc_lib/shell.py",
line 176, in run_subcommand
ret_value = super(OpenStackShell, self).run_subcommand(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 400, in
run_subcommand
result = cmd.run(parsed_args)
File
"/home/foo/.local/lib/python2.7/site-packages/osc_lib/command/command.py",
line 41, in run
return super(Command, self).run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 116,
in run
column_names, data = self.take_action(parsed_args)
File
"/home/foo/.local/lib/python2.7/site-packages/octaviaclient/osc/v2/listener.py",
line 168, in take_action
json=body)
File
"/home/foo/.local/lib/python2.7/site-packages/octaviaclient/api/v2/octavia.py",
line 38, in wrapper
request_id=e.request_id)
OctaviaClientException: Could not retrieve certificate:
['https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09',
'https://barbican.service.dev.example.com/v1/secrets/593cc231-92ee-4b0a-8c58-0080052a6b35',
'https://barbican.service.dev.example.com/v1/secrets/cb28220c-1339-4fc0-83f7-9cd155e3dc09']
(HTTP 400) (Request-ID: req-5eef99bf-45c9-43eb-b7c7-2dacaff980ca)
------------------------------
This issue occurs only when application credentials are used. Creation
of HTTP listener with applications credentials works fine, also creation
of HTTPS listener when user are authenticated by user / password.
Does somebody know which additional ACLs / permissions are required to
fix this?
BR
Pawel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5227 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190719/0eef8c36/attachment.bin>
More information about the openstack-discuss
mailing list