[CentOS7][train][tripleo]undercloud self-signed certificate expired
Ruslanas Gžibovskis
ruslanas at lpic.lt
Tue Feb 16 19:17:32 UTC 2021
Ok, pardon me,
$ openssl x509 -noout -in ruslanas/openssl_s_client -startdate -enddate
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct 7 08:23:06 2021 GMT
I did openssl s_client into undercloud 13000 port, YES, cert is extended.
what is not working, CA? did CA cert expired?
Yup, looks so.
$ openssl x509 -noout -startdate -enddate -in first_cert # First cert
from /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Jan 17 06:29:02 2021 GMT
notAfter=Oct 7 08:23:06 2021 GMT
$ openssl x509 -noout -startdate -enddate -in second_cert # Second cert
from /etc/pki/tls/private/overcloud_endpoint.pem
notBefore=Feb 13 13:09:29 2020 GMT
notAfter=Feb 13 13:09:29 2021 GMT
$
that generated CA cert got expired. am I right?
should that be rotated/refreshed by certmanager also?
Thank you.
On Tue, 16 Feb 2021 at 19:57, Ruslanas Gžibovskis <ruslanas at lpic.lt> wrote:
> Yes, sorry, I was very very unclear.
> I use:
> certificate_generation_ca = local
>
> I even saw that cert itself should auto-update/refresh.
> But there was a bug using autorefresh, I have just updated and rebooted
> the system.
>
> even I found very nice and curious
> script: /bin/certmonger-haproxy-refresh.sh
> Executed and reexecuted some things manually with the cert which should
> work:
> # /bin/certmonger-haproxy-refresh.sh reload external # with some
> additional outputs below:
> /etc/pki/tls/private/overcloud_endpoint.pem
> exec haproxy cp
> /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem
> /etc/pki/tls/private/overcloud_endpoint.pem
> exec haproxy chown haproxy:haproxy
> /etc/pki/tls/private/overcloud_endpoint.pem
> kill --signal HUP haproxy
> e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
>
> # openssl x509 -noout -text -in
> /etc/pki/tls/private/overcloud_endpoint.pem | less # Cert is valid
>
> # podman exec haproxy cp
> /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem
> /etc/pki/tls/private/overcloud_endpoint.pem
> # podman exec haproxy ls -lZ /etc/pki/tls/private/overcloud_endpoint.pem
> -rw-r-----. haproxy haproxy
> system_u:object_r:container_file_t:s0:c520,c935
> /etc/pki/tls/private/overcloud_endpoint.pem
> # podman kill --signal HUP haproxy
> e72f897d35cee91acb0dfda322f0f2028b2c235d044a0caa73c8037f97a3001a
>
> NO luck...
> sourced stackrc and executed cmd returns:
> #openstack server list
> Failed to discover available identity versions when contacting
> https://UNDERCLOUD_LOCAL_IP:13000. Attempting to parse version from URL.
> Could not find versioned identity endpoints when attempting to
> authenticate. Please check that your auth_url is correct. SSL exception
> connecting to https://10.196.106.254:13000:
> HTTPSConnectionPool(host='UNDERCLOUD_LOCAL_IP', port=13000): Max retries
> exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))
>
> Inside container:
> # openssl x509 -noout -startdate -enddate -in
> /etc/pki/tls/private/overcloud_endpoint.pem
> notBefore=Jan 17 06:29:02 2021 GMT
> notAfter=Oct 7 08:23:06 2021 GMT
>
> outside container:
> # openssl x509 -noout -startdate -enddate -in
> /etc/pki/tls/private/overcloud_endpoint.pem
> notBefore=Jan 17 06:29:02 2021 GMT
> notAfter=Oct 7 08:23:06 2021 GMT
> #
>
> JUST NOW thinking, is it a different error? I do not get how it was
> working and stopped working at the date when prev cert expires... even
> after reboot it should work... reload with new cert. right?
>
> By the way certmonger looks like this:
> -----
> # getcert list
> Number of certificates and requests being tracked: 1.
> Request ID 'haproxy-external-cert':
> status: MONITORING
> stuck: no
> key pair storage:
> type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
> certificate:
> type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
> CA: local
> issuer: CN=d4a25e33-4c424982-9d23137d-28694ac3,CN=Local Signing
> Authority
> subject: CN=UNDERCLOUD_LOCAL_IP
> expires: 2021-10-07 08:23:06 UTC
> eku: id-kp-clientAuth,id-kp-serverAuth
> pre-save command:
> post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload
> external
> track: yes
> auto-renew: yes
>
>
> On Tue, 16 Feb 2021 at 19:07, John Fulton <johfulto at redhat.com> wrote:
>
>> On Tue, Feb 16, 2021 at 11:21 AM Ruslanas Gžibovskis <ruslanas at lpic.lt>
>> wrote:
>> >
>> > Hi all.
>> >
>> > I got undercloud certificate expired and cannot find the best procedure
>> to update the certificate. Do you have any link to Read The Following
>> Material/Manual?
>>
>> Did you see this?
>>
>>
>> https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html
>>
>> John
>>
>> >
>> > I cannot find anything useful. As "openstack undercloud install|upgrade
>> --force-stack-update" fails at step below:
>> >
>> > "logical_resource_id": "undercloud", "resource_status_reason":
>> "Resource CREATE failed: StackValidationFailed:
>> resources.UndercloudServiceChain.resources.ServiceChain: Property error:
>> ServiceChain.resources[18].properties: Property RootStackName not
>> assigned", "resource_status": "CREATE_FAILED", "physical_resource_id":
>> "50784129-526c-4f14-83d3-7a0c51a7cbd9", "id":
>> "d3b641cb-8ec0-422b-a012-8b14c9724270"}]}
>> >
>> > --
>> > Ruslanas Gžibovskis
>> > +370 6030 7030
>>
>>
>
> --
> Ruslanas Gžibovskis
> +370 6030 7030
>
--
Ruslanas Gžibovskis
+370 6030 7030
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210216/9ff511c3/attachment.html>
More information about the openstack-discuss
mailing list