[CentOS7][train][tripleo]undercloud self-signed certificate expired

Ruslanas Gžibovskis ruslanas at lpic.lt
Tue Feb 16 18:57:42 UTC 2021

Yes, sorry, I was very very unclear.
I use:
certificate_generation_ca = local

I even saw that cert itself should auto-update/refresh.
But there was a bug using autorefresh, I have just updated and rebooted the

even I found very nice and curious
script: /bin/certmonger-haproxy-refresh.sh
Executed and reexecuted some things manually with the cert which should
# /bin/certmonger-haproxy-refresh.sh reload external # with some additional
outputs below:
exec haproxy cp
exec haproxy chown haproxy:haproxy
kill --signal HUP haproxy

# openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem
| less # Cert is valid

# podman exec haproxy cp
# podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem
-rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935
# podman kill --signal HUP haproxy

NO luck...
sourced stackrc and executed cmd returns:
#openstack server list
Failed to discover available identity versions when contacting
https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to
authenticate. Please check that your auth_url is correct. SSL exception
connecting to
HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries
exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))

Inside container:
# openssl x509 -noout -startdate -enddate -in
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT

outside container:
# openssl x509 -noout -startdate -enddate -in
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT

JUST NOW thinking, is it a different error? I do not get how it was working
and stopped working at the date when prev cert expires... even after reboot
it should work... reload with new cert. right?

By the way certmonger looks like this:
# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'haproxy-external-cert':
        status: MONITORING
        stuck: no
        key pair storage:
        CA: local
        issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing
        subject: CN=UNDERCLOUD_LOCAL_IP
        expires: 2021-10-07 08:23:06 UTC
        eku: id-kp-clientAuth,id-kp-serverAuth
        pre-save command:
        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload
        track: yes
        auto-renew: yes

On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto at redhat.com> wrote:

> On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas at lpic.lt>
> wrote:
> >
> > Hi all.
> >
> > I got undercloud certificate expired and cannot find the best procedure
> to update the certificate. Do you have any link to Read The Following
> Material/Manual?
> Did you see this?
> https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html
>   John
> >
> > I cannot find anything useful. As "openstack undercloud install|upgrade
> --force-stack-update" fails at step below:
> >
> > "logical_resource_id": "undercloud", "resource_status_reason": "Resource
> CREATE failed: StackValidationFailed:
> resources.UndercloudServiceChain.resources.ServiceChain: Property error:
> ServiceChain.resources[18].properties: Property RootStackName not
> assigned", "resource_status": "CREATE_FAILED", "physical_resource_id":
> "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id":
> "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
> >
> > --
> > Ruslanas Gžibovskis
> > +370 6030 7030

Ruslanas Gžibovskis
+370 6030 7030
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210216/18c6dfa7/attachment-0001.html>

More information about the openstack-discuss mailing list