[CentOS7][train][tripleo]undercloud self-signed certificate expired

Ruslanas Gžibovskis ruslanas at lpic.lt
Tue Feb 16 18:57:42 UTC 2021


Yes, sorry, I was very very unclear.
I use:
certificate_generation_ca = local

I even saw that cert itself should auto-update/refresh.
But there was a bug using autorefresh, I have just updated and rebooted the
system.

even I found very nice and curious
script: /bin/certmonger-haproxy-refresh.sh
Executed and reexecuted some things manually with the cert which should
work:
# /bin/certmonger-haproxy-refresh.sh reload external # with some additional
outputs below:
/etc/pki/tls/private/overcloud_endpoint.pem
exec haproxy cp
/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem
/etc/pki/tls/private/overcloud_endpoint.pem
exec haproxy chown haproxy:haproxy
/etc/pki/tls/private/overcloud_endpoint.pem
kill --signal HUP haproxy
e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a

# openssl x509 -noout -text -in /etc/pki/tls/private/overcloud_endpoint.pem
| less # Cert is valid

# podman exec haproxy cp
/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem
/etc/pki/tls/private/overcloud_endpoint.pem
# podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem
-rw-r-----. haproxy haproxy system_u:object_r:container_file_t:s0:c520,c935
/etc/pki/tls/private/overcloud_endpoint.pem
# podman kill --signal HUP haproxy
e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a

NO luck...
sourced stackrc and executed cmd returns:
#openstack server list
Failed to discover available identity versions when contacting
https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to
authenticate. Please check that your auth_url is correct. SSL exception
connecting to https://10.196.106.254:13000:
HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries
exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))

Inside container:
# openssl x509 -noout -startdate -enddate -in
/etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT

outside container:
# openssl x509 -noout -startdate -enddate -in
/etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct  7 08:23:06 2021 GMT
#

JUST NOW thinking, is it a different error? I do not get how it was working
and stopped working at the date when prev cert expires... even after reboot
it should work... reload with new cert. right?

By the way certmonger looks like this:
-----
# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'haproxy-external-cert':
        status: MONITORING
        stuck: no
        key pair storage:
type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
        certificate:
type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
        CA: local
        issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing
Authority
        subject: CN=UNDERCLOUD_LOCAL_IP
        expires: 2021-10-07 08:23:06 UTC
        eku: id-kp-clientAuth,id-kp-serverAuth
        pre-save command:
        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload
external
        track: yes
        auto-renew: yes


On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto at redhat.com> wrote:

> On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas at lpic.lt>
> wrote:
> >
> > Hi all.
> >
> > I got undercloud certificate expired and cannot find the best procedure
> to update the certificate. Do you have any link to Read The Following
> Material/Manual?
>
> Did you see this?
>
>
> https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html
>
>   John
>
> >
> > I cannot find anything useful. As "openstack undercloud install|upgrade
> --force-stack-update" fails at step below:
> >
> > "logical_resource_id": "undercloud", "resource_status_reason": "Resource
> CREATE failed: StackValidationFailed:
> resources.UndercloudServiceChain.resources.ServiceChain: Property error:
> ServiceChain.resources[18].properties: Property RootStackName not
> assigned", "resource_status": "CREATE_FAILED", "physical_resource_id":
> "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id":
> "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
> >
> > --
> > Ruslanas Gžibovskis
> > +370 6030 7030
>
>

-- 
Ruslanas Gžibovskis
+370 6030 7030
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210216/18c6dfa7/attachment-0001.html>


More information about the openstack-discuss mailing list