[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Lokendra Rathour
lokendrarathour at gmail.com
Tue Aug 2 03:54:53 UTC 2022
Hi Team,
Any lead about this issue raised?
On Thu, Jul 28, 2022 at 10:02 AM Lokendra Rathour <lokendrarathour at gmail.com>
wrote:
> Hi Brendan,
> Thanks for the advice.
> bug is reported:
> https://bugs.launchpad.net/tripleo/+bug/1982996
>
> On Thu, Jul 28, 2022 at 5:34 AM Brendan Shephard <bshephar at redhat.com>
> wrote:
>
>> Hey,
>>
>> It’s probably best that you raise a bug here at this stage:
>> https://bugs.launchpad.net/tripleo
>>
>> Can you attach all of the templates you’re using to that bug, the
>> overcloud deploy command script that you’re running and also the log files
>> that you have shared here?
>>
>> I wasn’t able to reproduce your issue, but if you raise a bug we can
>> direct it to the right team who can help out with your keystone errors.
>>
>> Brendan Shephard
>> Senior Software Engineer
>> Brisbane, Australia
>>
>>
>>
>> On 28 Jul 2022, at 2:55 am, Lokendra Rathour <lokendrarathour at gmail.com>
>> wrote:
>>
>> Hi Team,
>> I tried again with DNS enabled, but the error remains the same.
>>
>> tone_resources : Create identity public endpoint | undercloud |
>> 0:24:59.456181 | 2.31s
>> 2022-07-27 15:20:48.735838 | 5254006e-bbd1-cd20-647c-00000000736c |
>> TASK | Create identity internal endpoint
>> 2022-07-27 15:20:51.227000 | 5254006e-bbd1-cd20-647c-00000000736c |
>> FATAL | Create identity internal endpoint | undercloud | error={"changed":
>> false, "extra_data": {"data": null, "details": "The request you have made
>> requires authentication.", "response":
>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to
>> list services: Client Error for url: https://overcloud-publ
>> ic.myhsc.com:13000/v3/services, The request you have made requires
>> authentication."}
>>
>> Checking further in the keystone logs in container:
>>
>>
>> 2022-07-27 19:35:37.447 33 WARNING keystone.server.flask.application
>> [req-bb4621d8-73ad-4bad-831f-5c2370e92e71 - - - - -] Authorization failed.
>> The request you have made requires authentication. from
>> fd00:fd00:fd00:9900::29: keystone.exception.Unauthorized: The request you
>> have made requires authentication.
>> 2022-07-27 19:35:37.998 26 WARNING py.warnings
>> [req-54d44e3a-5e34-4e40-b2dc-e8213353ea05 ab5e9670632544f8a8c7e1b3ac175bcd
>> e4185872cadb442aa9a59980b3227941 - default default]
>> /usr/lib/python3.6/site-packages/oslo_policy/policy.py:1065: UserWarning:
>> Policy identity:list_projects failed scope check. The token used to make
>> the request was project scoped but the policy requires ['system', 'domain']
>> scope. This behavior may change in the future where using the intended
>> scope is required
>>
>> I am kind of blocked now, any lead would let me understand the problem
>> more and maybe it can solve the issue.
>>
>> Best Regards,
>> Lokendra
>>
>> On Mon, Jul 25, 2022 at 3:12 PM Lokendra Rathour <
>> lokendrarathour at gmail.com> wrote:
>>
>>> Hi Brendan,
>>> Apologies for this delay, i had to redo the setup to reach this point,
>>> and also this time just to eliminate my Doubt i removed SSL for overcloud.
>>> Now I am only using DNS Server. In this case also I am getting the same
>>> error.
>>>
>>> | 0:13:20.198877 | 1.86s
>>> 2022-07-25 14:37:29.657118 | 525400a7-0932-2ed1-d313-000000007193 |
>>> TASK | Create identity internal endpoint
>>> 2022-07-25 14:37:31.995131 | 525400a7-0932-2ed1-d313-000000007193 |
>>> FATAL | Create identity internal endpoint | undercloud | error={"changed":
>>> false, "extra_data": {"data": null, "details": "The request you have made
>>> requires authentication.", "response":
>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>> services: Client Error for url:
>>> http://[fd00:fd00:fd00:9900::a0]:5000/v3/services, The request you have
>>> made requires authentication."}
>>>
>>>
>>> To answer your question please note:
>>>
>>> "OS_CLOUD=overcloud openstack endpoint list"
>>>
>>> [root at GGNLABPM4 ~]# ssh stack at 10.0.1.29
>>> stack at 10.0.1.29's password:
>>> Activate the web console with: systemctl enable --now cockpit.socket
>>>
>>> Last login: Mon Jul 25 14:38:44 2022 from 10.0.1.4
>>> [stack at undercloud ~]$ OS_CLOUD=overcloud openstack endpoint list
>>>
>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>>> | ID | Region | Service Name | Service
>>> Type | Enabled | Interface | URL |
>>>
>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>>> | 1ecd328b5ea1426bb411d157b8339dd2 | regionOne | keystone | identity
>>> | True | public | http://[fd00:fd00:fd00:9900::a0]:5000 |
>>> | 518cfa0f2ece43b684710006c9fa5b25 | regionOne | keystone | identity
>>> | True | admin | http://30.30.30.181:35357 |
>>> | 8cda413052c24718b073578bb497f483 | regionOne | keystone | identity
>>> | True | internal | http://[fd00:fd00:fd00:2000::a0]:5000 |
>>>
>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>>> [stack at undercloud ~]$
>>>
>>>
>>> it is giving us only keystone endpoints.
>>>
>>> Also note that I am trying to deploy the end to end setup with FQDN
>>> only. and in this case as well I am facing the same issue as old.
>>>
>>> thanks once again for your inputs.
>>>
>>> -Lokendra
>>>
>>>
>>>
>>> On Wed, Jul 20, 2022 at 3:07 PM Brendan Shephard <bshephar at redhat.com>
>>> wrote:
>>>
>>>> Hey,
>>>>
>>>> I think it's weird that you got a response at all when you run the
>>>> openstack endpoint list, since you said haproxy isn't running. So there
>>>> should be nothing serving that endpoint.
>>>>
>>>> I noticed you have the stackrc file sourced. Try it again without that
>>>> file sourced, so:
>>>> $ su - stack
>>>> $ OS_CLOUD=overcloud openstack endpoint list
>>>>
>>>> I would suspect that nothing should be responding. It could be the
>>>> stackrc file causing issues with some of the environment variables. If the
>>>> above command doesn't return anything, then my suggestion would be to
>>>> re-run the deployment like this:
>>>>
>>>> $ su - stack
>>>> $ export OS_CLOUD=undercloud
>>>> # Then run your deployment script again
>>>> $ bash overcloud_deploy.sh
>>>>
>>>> The OS_CLOUD variable tells the openstackclient to lookup the details
>>>> about that cloud from your clouds.yaml file. Which will be located in
>>>> /home/stack/.config/openstack/clouds.yaml.
>>>>
>>>> This method is preferable to the sourcing of RC files.
>>>>
>>>> Reference:
>>>>
>>>> https://docs.openstack.org/openstacksdk/latest/user/guides/connect_from_config.html
>>>>
>>>> Regarding the HAProxy warnings. I don't think they should be fatal.
>>>> afaik, HAProxy should still be starting. If it's not, there might be
>>>> another error that you will need to look for in the log files under
>>>> /var/log/containers/haproxy/
>>>>
>>>> I wasn't able to reproduce that warning by following the documentation
>>>> for enabling TLS though. So it seems like an odd error to be getting.
>>>>
>>>> Brendan Shephard
>>>> Software Engineer
>>>>
>>>> Red Hat APAC <https://www.redhat.com/>
>>>> 193 N Quay
>>>> Brisbane City QLD 4000
>>>> @RedHat <https://twitter.com/redhat> Red Hat
>>>> <https://www.linkedin.com/company/red-hat> Red Hat
>>>> <https://www.facebook.com/RedHatInc>
>>>> <https://red.ht/sig>
>>>> <https://redhat.com/summit>
>>>>
>>>>
>>>> On Wed, Jul 20, 2022 at 7:02 PM Lokendra Rathour <
>>>> lokendrarathour at gmail.com> wrote:
>>>>
>>>>> Hi Brendan / Team,
>>>>> Any lead for the issue raised?
>>>>>
>>>>> -Lokendra
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 19, 2022 at 11:46 AM Lokendra Rathour <
>>>>> lokendrarathour at gmail.com> wrote:
>>>>>
>>>>>> Hi Brendan,,
>>>>>> Thanks for the inputs.
>>>>>> when i run the command as you suggested I get this:
>>>>>>
>>>>>> (undercloud) [stack at undercloud ~]$ OS_CLOUD=overcloud openstack
>>>>>> endpoint list
>>>>>>
>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>>> | ID | Region | Service Name |
>>>>>> Service Type | Enabled | Interface | URL
>>>>>> |
>>>>>>
>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>>> | 1bfe43c9cf174bd8a01a3a681538766a | regionOne | keystone |
>>>>>> identity | True | internal |
>>>>>> http://[fd00:fd00:fd00:2000::326]:5000 |
>>>>>> | 707e92fc11df4a74bceb5e48f2561357 | regionOne | keystone |
>>>>>> identity | True | admin | http://30.30.30.173:35357
>>>>>> |
>>>>>> | fab4e66170c8402f899c5f43fd4c39fe | regionOne | keystone |
>>>>>> identity | True | public | https://overcloud-hsc.com:13000
>>>>>> |
>>>>>>
>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>>> (undercloud) [stack at undercloud ~]$
>>>>>>
>>>>>>
>>>>>> On the other note that i notices was as below:
>>>>>>
>>>>>> - HAproxy container is not running.
>>>>>> - [root at overcloud-controller-2 stdouts]# podman ps -a | grep
>>>>>> haproxy
>>>>>> e91dbde042db
>>>>>> undercloud.ctlplane.localdomain:8787/tripleowallaby/openstack-haproxy:current-tripleo
>>>>>> 24 hours ago Exited (1) Less than a
>>>>>> second ago container-puppet-haproxy\
>>>>>> - Checking logs:
>>>>>> - 2022-07-19T08:47:00.496212294+05:30 stderr F + ARGS=
>>>>>> 2022-07-19T08:47:00.496300242+05:30 stderr F + [[ ! -n '' ]]
>>>>>> 2022-07-19T08:47:00.496323705+05:30 stderr F + .
>>>>>> kolla_extend_start
>>>>>> 2022-07-19T08:47:00.496578173+05:30 stderr F + echo 'Running
>>>>>> command: '\''bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper
>>>>>> ]; then exec /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg;
>>>>>> else exec /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'\'''
>>>>>> 2022-07-19T08:47:00.496605469+05:30 stdout F Running command:
>>>>>> 'bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then exec
>>>>>> /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg; else exec
>>>>>> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'
>>>>>> 2022-07-19T08:47:00.496895618+05:30 stderr F + exec bash -c
>>>>>> '$*' -- eval if '[' -f /usr/sbin/haproxy-systemd-wrapper '];' then exec
>>>>>> /usr/sbin/haproxy-systemd-wrapper -f '/etc/haproxy/haproxy.cfg;' else exec
>>>>>> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg '-Ws;' fi
>>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:28] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13776' :
>>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> automatically2022-07-19T08:47:00.513967576+05:30 stderr F
>>>>>> [WARNING] 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:45] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13292' :
>>>>>> 2022-07-19T08:47:00.513967576+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.513967576+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13004' :
>>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:89] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13005' :
>>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.516167406+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:108] : 'bind
>>>>>> fd00:fd00:fd00:2000::326:443' :
>>>>>> - 2022-07-19T08:47:00.517937930+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:172] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13000' :
>>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:201] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13696' :
>>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:233] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13080' :
>>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:250] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13774' :
>>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:266] :
>>>>>> 'bind fd00:fd00:fd00:9900::81:13778' :
>>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:281] : 'bind
>>>>>> fd00:fd00:fd00:9900::81:13808' :
>>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F unable to load
>>>>>> default 1024 bits DH parameter for certificate
>>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F , SSL library
>>>>>> will use an automatically generated DH parameter.
>>>>>> 2022-07-19T08:47:00.524065508+05:30 stderr F [WARNING]
>>>>>> 199/084700 (7) : Setting tune.ssl.default-dh-param to 1024 by default, if
>>>>>> your workload permits it you should set it to at least 2048. Please set a
>>>>>> value >= 1024 to make this warning disappear.
>>>>>> - pcs status also show that proxy is down for the controller
>>>>>> with VIP:
>>>>>> - Failed Resource Actions:
>>>>>> * haproxy-bundle-podman-2_start_0 on overcloud-controller-2
>>>>>> 'error' (1): call=139, status='complete', exitreason='podman failed to
>>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 15:14:34 2022',
>>>>>> queued=0ms, exec=1222ms
>>>>>> * haproxy-bundle-podman-1_start_0 on overcloud-controller-1
>>>>>> 'error' (1): call=191, status='complete', exitreason='podman failed to
>>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:17 2022',
>>>>>> queued=0ms, exec=1171ms
>>>>>> * haproxy-bundle-podman-2_start_0 on overcloud-controller-1
>>>>>> 'error' (1): call=193, status='complete', exitreason='podman failed to
>>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:20 2022',
>>>>>> queued=0ms, exec=1256ms
>>>>>>
>>>>>> do let me know in case we need anything more around it.
>>>>>> thanks once again for the support.
>>>>>> -Lokendra
>>>>>>
>>>>>> On Tue, Jul 19, 2022 at 11:07 AM Brendan Shephard <
>>>>>> bshephar at redhat.com> wrote:
>>>>>>
>>>>>>> Hey,
>>>>>>>
>>>>>>> Doesn't look like there is anything wrong with the certificate
>>>>>>> there. You would be getting a TLS error if that was the problem.
>>>>>>>
>>>>>>> What does your clouds.yaml file look like now? What happens if you
>>>>>>> run this command from the Undercloud node:
>>>>>>> $ OS_CLOUD=overcloud openstack endpoint list
>>>>>>>
>>>>>>> Do you get the same error?
>>>>>>>
>>>>>>> Brendan Shephard
>>>>>>> Software Engineer
>>>>>>>
>>>>>>> Red Hat APAC <https://www.redhat.com/>
>>>>>>> 193 N Quay
>>>>>>> Brisbane City QLD 4000
>>>>>>> @RedHat <https://twitter.com/redhat> Red Hat
>>>>>>> <https://www.linkedin.com/company/red-hat> Red Hat
>>>>>>> <https://www.facebook.com/RedHatInc>
>>>>>>> <https://red.ht/sig>
>>>>>>> <https://redhat.com/summit>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 19, 2022 at 1:28 PM Lokendra Rathour <
>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Swogat and Vikarna,
>>>>>>>> We have tried adding the DNS entry for the overcloud domain. we are
>>>>>>>> getting the same error:
>>>>>>>>
>>>>>>>> 022-07-19 00:09:41.491498 | 525400ae-089b-c832-8e34-00000000704f |
>>>>>>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>>>>>>> undercloud | 0:11:18.785769 | 2.16s
>>>>>>>> 2022-07-19 00:09:41.507319 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>>> TASK | Create identity internal endpoint
>>>>>>>> 2022-07-19 00:09:43.778910 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>>> FATAL | Create identity internal endpoint | undercloud |
>>>>>>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>>>>>>> request you have made requires authentication.", "response":
>>>>>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>> services: Client Error for url:
>>>>>>>> https://overcloud-hsc.com:13000/v3/services, The request you have
>>>>>>>> made requires authentication."}
>>>>>>>> 2022-07-19 00:09:43.780306 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>>> TIMING | tripleo_keystone_resources : Create identity internal endpoint
>>>>>>>> | undercloud | 0:11:21.074605 | 2.
>>>>>>>>
>>>>>>>>
>>>>>>>> Certificate configs:
>>>>>>>>
>>>>>>>> [stack at undercloud oc-domain-name]$ cat server.csr.cnf
>>>>>>>> [req]
>>>>>>>> default_bits = 2048
>>>>>>>> prompt = no
>>>>>>>> default_md = sha256
>>>>>>>> distinguished_name = dn
>>>>>>>> [dn]
>>>>>>>> C=IN
>>>>>>>> ST=UTTAR PRADESH
>>>>>>>> L=NOIDA
>>>>>>>> O=HSC
>>>>>>>> OU=HSC
>>>>>>>> emailAddress=demo at demo.com
>>>>>>>> CN=overcloud-hsc.com
>>>>>>>> [stack at undercloud oc-domain-name]$ cat v3.ext
>>>>>>>> authorityKeyIdentifier=keyid,issuer
>>>>>>>> basicConstraints=CA:FALSE
>>>>>>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>>>>>>> dataEncipherment
>>>>>>>> subjectAltName = @alt_names
>>>>>>>> [alt_names]
>>>>>>>> DNS.1=overcloud-hsc.com
>>>>>>>> [stack at undercloud oc-domain-name]$
>>>>>>>>
>>>>>>>> the difference we see from others is that we are using self-signed
>>>>>>>> certificates.
>>>>>>>>
>>>>>>>> please let me know in case we need to check something else. Somehow
>>>>>>>> this issue remains stuck.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jul 15, 2022 at 2:17 AM Swogat Pradhan <
>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> I was facing a similar kind of issue.
>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2089442
>>>>>>>>> Here is the solution that helped me fix it.
>>>>>>>>> Also make sure the cn that you will use is reachable from
>>>>>>>>> undercloud (maybe) script should take care of it.
>>>>>>>>>
>>>>>>>>> Also please follow Mr. Tathe's mail to add the cn first.
>>>>>>>>>
>>>>>>>>> With regards
>>>>>>>>> Swogat Pradhan
>>>>>>>>>
>>>>>>>>> On Thu, Jul 14, 2022 at 8:49 AM Vikarna Tathe <
>>>>>>>>> vikarnatathe at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Lokendra,
>>>>>>>>>>
>>>>>>>>>> The CN field is missing. Can you add that and generate the
>>>>>>>>>> certificate again.
>>>>>>>>>>
>>>>>>>>>> CN=ipaddress
>>>>>>>>>>
>>>>>>>>>> Also add dns.1=ipaddress under alt_names for precaution.
>>>>>>>>>>
>>>>>>>>>> Vikarna
>>>>>>>>>>
>>>>>>>>>> On Wed, 13 Jul, 2022, 23:02 Lokendra Rathour, <
>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> HI Vikarna,
>>>>>>>>>>> Thanks for the inputs.
>>>>>>>>>>> I am note able to access any tabs in GUI.
>>>>>>>>>>> <image.png>
>>>>>>>>>>>
>>>>>>>>>>> to re-state, we are failing at the time of deployment at step4 :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> PLAY [External deployment step 4]
>>>>>>>>>>> **********************************************
>>>>>>>>>>> 2022-07-13 21:35:22.505148 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000000d7 | TASK | External deployment
>>>>>>>>>>> step 4
>>>>>>>>>>> 2022-07-13 21:35:22.534899 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000000d7 | OK | External deployment
>>>>>>>>>>> step 4 | undercloud -> localhost | result={
>>>>>>>>>>> "changed": false,
>>>>>>>>>>> "msg": "Use --start-at-task 'External deployment step 4' to
>>>>>>>>>>> resume from this task"
>>>>>>>>>>> }
>>>>>>>>>>> [WARNING]: ('undercloud -> localhost',
>>>>>>>>>>> '525400ae-089b-870a-fab6-0000000000d7')
>>>>>>>>>>> missing from stats
>>>>>>>>>>> 2022-07-13 21:35:22.591268 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000000d8 | TIMING | include_tasks |
>>>>>>>>>>> undercloud | 0:11:21.683453 | 0.04s
>>>>>>>>>>> 2022-07-13 21:35:22.605901 |
>>>>>>>>>>> f29c4b58-75a5-4993-97b8-3921a49d79d7 | INCLUDED |
>>>>>>>>>>> /home/stack/overcloud-deploy/overcloud/config-download/overcloud/external_deploy_steps_tasks_step4.yaml
>>>>>>>>>>> | undercloud
>>>>>>>>>>> 2022-07-13 21:35:22.627112 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | TASK | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries
>>>>>>>>>>> 2022-07-13 21:35:25.110635 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | OK | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries | undercloud | item={'service_name': 'cinderv2',
>>>>>>>>>>> 'service_type': 'volumev2'}
>>>>>>>>>>> 2022-07-13 21:35:25.112368 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | TIMING | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:24.204562 | 2.48s
>>>>>>>>>>> 2022-07-13 21:35:27.029270 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | OK | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries | undercloud | item={'service_name': 'cinderv3',
>>>>>>>>>>> 'service_type': 'volume'}
>>>>>>>>>>> 2022-07-13 21:35:27.030383 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | TIMING | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:26.122584 | 4.40s
>>>>>>>>>>> 2022-07-13 21:35:27.032091 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007239 | TIMING | Clean up legacy Cinder
>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:26.124296 | 4.40s
>>>>>>>>>>> 2022-07-13 21:35:27.047913 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000723c | TASK | Manage Keystone
>>>>>>>>>>> resources for OpenStack services
>>>>>>>>>>> 2022-07-13 21:35:27.077672 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000723c | TIMING | Manage Keystone
>>>>>>>>>>> resources for OpenStack services | undercloud | 0:11:26.169842 | 0.03s
>>>>>>>>>>> 2022-07-13 21:35:27.120270 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000726b | TASK | Gather variables for
>>>>>>>>>>> each operating system
>>>>>>>>>>> 2022-07-13 21:35:27.161225 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000726b | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Gather variables for each operating system |
>>>>>>>>>>> undercloud | 0:11:26.253383 | 0.04s
>>>>>>>>>>> 2022-07-13 21:35:27.177798 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000726c | TASK | Create Keystone Admin
>>>>>>>>>>> resources
>>>>>>>>>>> 2022-07-13 21:35:27.207430 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-00000000726c | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create Keystone Admin resources | undercloud |
>>>>>>>>>>> 0:11:26.299608 | 0.03s
>>>>>>>>>>> 2022-07-13 21:35:27.230985 |
>>>>>>>>>>> 46e05e2d-2e9c-467b-ac4f-c5f0bc7286b3 | INCLUDED |
>>>>>>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/admin.yml |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:27.256076 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072ad | TASK | Create default domain
>>>>>>>>>>> 2022-07-13 21:35:29.343399 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072ad | OK | Create default domain |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:29.345172 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072ad | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create default domain | undercloud |
>>>>>>>>>>> 0:11:28.437360 | 2.09s
>>>>>>>>>>> 2022-07-13 21:35:29.361643 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072ae | TASK | Create admin and
>>>>>>>>>>> service projects
>>>>>>>>>>> 2022-07-13 21:35:29.391295 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072ae | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create admin and service projects | undercloud
>>>>>>>>>>> | 0:11:28.483468 | 0.03s
>>>>>>>>>>> 2022-07-13 21:35:29.402539 |
>>>>>>>>>>> af7a4a76-4998-4679-ac6f-58acc0867554 | INCLUDED |
>>>>>>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/projects.yml |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:29.428918 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | TASK | Async creation of
>>>>>>>>>>> Keystone project
>>>>>>>>>>> 2022-07-13 21:35:30.144295 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | CHANGED | Async creation of
>>>>>>>>>>> Keystone project | undercloud | item=admin
>>>>>>>>>>> 2022-07-13 21:35:30.145884 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Async creation of Keystone project |
>>>>>>>>>>> undercloud | 0:11:29.238078 | 0.72s
>>>>>>>>>>> 2022-07-13 21:35:30.493458 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | CHANGED | Async creation of
>>>>>>>>>>> Keystone project | undercloud | item=service
>>>>>>>>>>> 2022-07-13 21:35:30.494386 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Async creation of Keystone project |
>>>>>>>>>>> undercloud | 0:11:29.586587 | 1.06s
>>>>>>>>>>> 2022-07-13 21:35:30.495729 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007304 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Async creation of Keystone project |
>>>>>>>>>>> undercloud | 0:11:29.587916 | 1.07s
>>>>>>>>>>> 2022-07-13 21:35:30.511748 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | TASK | Check Keystone project
>>>>>>>>>>> status
>>>>>>>>>>> 2022-07-13 21:35:30.908189 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | WAITING | Check Keystone project
>>>>>>>>>>> status | undercloud | 30 retries left
>>>>>>>>>>> 2022-07-13 21:35:36.166541 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | OK | Check Keystone project
>>>>>>>>>>> status | undercloud | item=admin
>>>>>>>>>>> 2022-07-13 21:35:36.168506 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Check Keystone project status | undercloud |
>>>>>>>>>>> 0:11:35.260666 | 5.66s
>>>>>>>>>>> 2022-07-13 21:35:36.400914 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | OK | Check Keystone project
>>>>>>>>>>> status | undercloud | item=service
>>>>>>>>>>> 2022-07-13 21:35:36.402534 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Check Keystone project status | undercloud |
>>>>>>>>>>> 0:11:35.494729 | 5.89s
>>>>>>>>>>> 2022-07-13 21:35:36.406576 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-000000007306 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Check Keystone project status | undercloud |
>>>>>>>>>>> 0:11:35.498771 | 5.89s
>>>>>>>>>>> 2022-07-13 21:35:36.427719 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072af | TASK | Create admin role
>>>>>>>>>>> 2022-07-13 21:35:38.632266 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072af | OK | Create admin role |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:38.633754 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072af | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create admin role | undercloud |
>>>>>>>>>>> 0:11:37.725949 | 2.20s
>>>>>>>>>>> 2022-07-13 21:35:38.649721 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b0 | TASK | Create _member_ role
>>>>>>>>>>> 2022-07-13 21:35:38.689773 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b0 | SKIPPED | Create _member_ role |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:38.691172 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b0 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create _member_ role | undercloud |
>>>>>>>>>>> 0:11:37.783369 | 0.04s
>>>>>>>>>>> 2022-07-13 21:35:38.706920 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b1 | TASK | Create admin user
>>>>>>>>>>> 2022-07-13 21:35:42.051623 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b1 | CHANGED | Create admin user |
>>>>>>>>>>> undercloud
>>>>>>>>>>> 2022-07-13 21:35:42.053285 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b1 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create admin user | undercloud |
>>>>>>>>>>> 0:11:41.145472 | 3.34s
>>>>>>>>>>> 2022-07-13 21:35:42.069370 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b2 | TASK | Assign admin role to
>>>>>>>>>>> admin project for admin user
>>>>>>>>>>> 2022-07-13 21:35:45.194891 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b2 | OK | Assign admin role to
>>>>>>>>>>> admin project for admin user | undercloud
>>>>>>>>>>> 2022-07-13 21:35:45.196669 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b2 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Assign admin role to admin project for admin
>>>>>>>>>>> user | undercloud | 0:11:44.288848 | 3.13s
>>>>>>>>>>> 2022-07-13 21:35:45.212674 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b3 | TASK | Assign _member_ role to
>>>>>>>>>>> admin project for admin user
>>>>>>>>>>> 2022-07-13 21:35:45.252884 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b3 | SKIPPED | Assign _member_ role to
>>>>>>>>>>> admin project for admin user | undercloud
>>>>>>>>>>> 2022-07-13 21:35:45.254283 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b3 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Assign _member_ role to admin project for
>>>>>>>>>>> admin user | undercloud | 0:11:44.346479 | 0.04s
>>>>>>>>>>> 2022-07-13 21:35:45.270310 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b4 | TASK | Create identity service
>>>>>>>>>>> 2022-07-13 21:35:46.928715 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b4 | OK | Create identity service
>>>>>>>>>>> | undercloud
>>>>>>>>>>> 2022-07-13 21:35:46.930167 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b4 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create identity service | undercloud |
>>>>>>>>>>> 0:11:46.022362 | 1.66s
>>>>>>>>>>> 2022-07-13 21:35:46.946797 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b5 | TASK | Create identity public
>>>>>>>>>>> endpoint
>>>>>>>>>>> 2022-07-13 21:35:49.139298 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b5 | OK | Create identity public
>>>>>>>>>>> endpoint | undercloud
>>>>>>>>>>> 2022-07-13 21:35:49.141158 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b5 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create identity public endpoint | undercloud |
>>>>>>>>>>> 0:11:48.233349 | 2.19s
>>>>>>>>>>> 2022-07-13 21:35:49.157768 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b6 | TASK | Create identity
>>>>>>>>>>> internal endpoint
>>>>>>>>>>> 2022-07-13 21:35:51.566826 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b6 | FATAL | Create identity
>>>>>>>>>>> internal endpoint | undercloud | error={"changed": false, "extra_data":
>>>>>>>>>>> {"data": null, "details": "The request you have made requires
>>>>>>>>>>> authentication.", "response": "{\"error\":{\"code\":401,\"message\":\"The
>>>>>>>>>>> request you have made requires
>>>>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>>>>> services: Client Error for url:
>>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000/v3/services, The
>>>>>>>>>>> request you have made requires authentication."}
>>>>>>>>>>> 2022-07-13 21:35:51.568473 |
>>>>>>>>>>> 525400ae-089b-870a-fab6-0000000072b6 | TIMING |
>>>>>>>>>>> tripleo_keystone_resources : Create identity internal endpoint | undercloud
>>>>>>>>>>> | 0:11:50.660654 | 2.41s
>>>>>>>>>>>
>>>>>>>>>>> PLAY RECAP
>>>>>>>>>>> *********************************************************************
>>>>>>>>>>> localhost : ok=1 changed=0 unreachable=0
>>>>>>>>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>>>>>>>>> overcloud-controller-0 : ok=437 changed=103 unreachable=0
>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>> overcloud-controller-1 : ok=435 changed=101 unreachable=0
>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>> overcloud-controller-2 : ok=432 changed=101 unreachable=0
>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>> overcloud-novacompute-0 : ok=345 changed=82 unreachable=0
>>>>>>>>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>>>>>>>>> undercloud : ok=39 changed=7 unreachable=0
>>>>>>>>>>> failed=1 skipped=6 rescued=0 ignored=0
>>>>>>>>>>>
>>>>>>>>>>> Also :
>>>>>>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat server.csr.cnf
>>>>>>>>>>> [req]
>>>>>>>>>>> default_bits = 2048
>>>>>>>>>>> prompt = no
>>>>>>>>>>> default_md = sha256
>>>>>>>>>>> distinguished_name = dn
>>>>>>>>>>> [dn]
>>>>>>>>>>> C=IN
>>>>>>>>>>> ST=UTTAR PRADESH
>>>>>>>>>>> L=NOIDA
>>>>>>>>>>> O=HSC
>>>>>>>>>>> OU=HSC
>>>>>>>>>>> emailAddress=demo at demo.com
>>>>>>>>>>>
>>>>>>>>>>> v3.ext:
>>>>>>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat v3.ext
>>>>>>>>>>> authorityKeyIdentifier=keyid,issuer
>>>>>>>>>>> basicConstraints=CA:FALSE
>>>>>>>>>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>>>>>>>>>> dataEncipherment
>>>>>>>>>>> subjectAltName = @alt_names
>>>>>>>>>>> [alt_names]
>>>>>>>>>>> IP.1=fd00:fd00:fd00:9900::81
>>>>>>>>>>>
>>>>>>>>>>> Using these files we create other certificates.
>>>>>>>>>>> Please check and let me know in case we need anything else.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Jul 13, 2022 at 10:00 PM Vikarna Tathe <
>>>>>>>>>>> vikarnatathe at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Lokendra,
>>>>>>>>>>>>
>>>>>>>>>>>> Are you able to access all the tabs in the OpenStack dashboard
>>>>>>>>>>>> without any error? If not, please retry generating the certificate. Also,
>>>>>>>>>>>> share the openssl.cnf or server.cnf.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, 13 Jul 2022 at 18:18, Lokendra Rathour <
>>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>> Any input on this case raised.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Lokendra
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Jul 12, 2022 at 10:18 PM Lokendra Rathour <
>>>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Shephard/Swogat,
>>>>>>>>>>>>>> I tried changing the setting as suggested and it looks like
>>>>>>>>>>>>>> it has failed at step 4 with error:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> :31:32.169420 | 525400ae-089b-fb79-67ac-0000000072ce |
>>>>>>>>>>>>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>>>>>>>>>>>>> undercloud | 0:24:47.736198 | 2.21s
>>>>>>>>>>>>>> 2022-07-12 21:31:32.185594 |
>>>>>>>>>>>>>> 525400ae-089b-fb79-67ac-0000000072cf | TASK | Create identity
>>>>>>>>>>>>>> internal endpoint
>>>>>>>>>>>>>> 2022-07-12 21:31:34.468996 |
>>>>>>>>>>>>>> 525400ae-089b-fb79-67ac-0000000072cf | FATAL | Create identity
>>>>>>>>>>>>>> internal endpoint | undercloud | error={"changed": false, "extra_data":
>>>>>>>>>>>>>> {"data": null, "details": "The request you have made requires
>>>>>>>>>>>>>> authentication.", "response": "{\"error\":{\"code\":401,\"message\":\"The
>>>>>>>>>>>>>> request you have made requires
>>>>>>>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>>>>>>>> services: Client Error for url:
>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000/v3/services, The
>>>>>>>>>>>>>> request you have made requires authentication."}
>>>>>>>>>>>>>> 2022-07-12 21:31:34.470415 | 525400ae-089b-fb79-67ac-000000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Checking further the endpoint list:
>>>>>>>>>>>>>> I see only one endpoint for keystone is gettin created.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> DeprecationWarning
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>>> | ID | Region | Service Name
>>>>>>>>>>>>>> | Service Type | Enabled | Interface | URL
>>>>>>>>>>>>>> |
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>>> | 4378dc0a4d8847ee87771699fc7b995e | regionOne | keystone
>>>>>>>>>>>>>> | identity | True | admin |
>>>>>>>>>>>>>> http://30.30.30.173:35357 |
>>>>>>>>>>>>>> | 67c829e126944431a06ed0c2b97a295f | regionOne | keystone
>>>>>>>>>>>>>> | identity | True | internal |
>>>>>>>>>>>>>> http://[fd00:fd00:fd00:2000::326]:5000 |
>>>>>>>>>>>>>> | 8a9a3de4993c4ff7903caf95b8ae40fa | regionOne | keystone
>>>>>>>>>>>>>> | identity | True | public |
>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000 |
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> it looks like something related to the SSL, we have also
>>>>>>>>>>>>>> verified that the GUI login screen shows that Certificates are applied.
>>>>>>>>>>>>>> exploring more in logs, meanwhile any suggestions or know
>>>>>>>>>>>>>> observation would be of great help.
>>>>>>>>>>>>>> thanks again for the support.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>> Lokendra
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sat, Jul 9, 2022 at 11:24 AM Swogat Pradhan <
>>>>>>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I had faced a similar kind of issue, for ip based setup you
>>>>>>>>>>>>>>> need to specify the domain name as the ip that you are going to use, this
>>>>>>>>>>>>>>> error is showing up because the ssl is ip based but the fqdns seems to be
>>>>>>>>>>>>>>> undercloud.com or overcloud.example.com.
>>>>>>>>>>>>>>> I think for undercloud you can change the undercloud.conf.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> And will it work if we specify clouddomain parameter to the
>>>>>>>>>>>>>>> IP address for overcloud? because it seems he has not specified the
>>>>>>>>>>>>>>> clouddomain parameter and overcloud.example.com is the
>>>>>>>>>>>>>>> default domain for overcloud.example.com.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, 8 Jul 2022, 6:01 pm Swogat Pradhan, <
>>>>>>>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> What is the domain name you have specified in the
>>>>>>>>>>>>>>>> undercloud.conf file?
>>>>>>>>>>>>>>>> And what is the fqdn name used for the generation of the
>>>>>>>>>>>>>>>> SSL cert?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <
>>>>>>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>>>>>> We were trying to install overcloud with SSL enabled for
>>>>>>>>>>>>>>>>> which the UC is installed, but OC install is getting failed at step 4:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef',
>>>>>>>>>>>>>>>>> port=13000): Max retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n", "module_stdout": "",
>>>>>>>>>>>>>>>>> "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.606739 |
>>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | FATAL | Clean up legacy Cinder
>>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | item={'service_name': 'cinderv3',
>>>>>>>>>>>>>>>>> 'service_type': 'volume'} | error={"ansible_index_var":
>>>>>>>>>>>>>>>>> "cinder_api_service", "ansible_loop_var": "item", "changed": false,
>>>>>>>>>>>>>>>>> "cinder_api_service": 1, "item": {"service_name": "cinderv3",
>>>>>>>>>>>>>>>>> "service_type": "volume"}, "module_stderr": "Failed to discover available
>>>>>>>>>>>>>>>>> identity versions when contacting
>>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000. Attempting to
>>>>>>>>>>>>>>>>> parse version from URL.\nTraceback (most recent call last):\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 600,
>>>>>>>>>>>>>>>>> in urlopen\n chunked=chunked)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>>>>>>>>>>>>>>>> in _make_request\n self._validate_conn(conn)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>>>>>>>>>>>>>>>> in _validate_conn\n conn.connect()\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>>>>>>>>>>>>>>>> connect\n _match_hostname(cert, self.assert_hostname or
>>>>>>>>>>>>>>>>> server_hostname)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>>>>>>>>>>>>>>>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>>>>>>>>>>>>>>>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>>>>>>>>>>>>>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>>>>>>>>>>>>>>>> handling of the above exception, another exception occurred:\n\nTraceback
>>>>>>>>>>>>>>>>> (most recent call last):\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>>>>>>>>>>>>>>>> send\n timeout=timeout\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>>>>>>>>>>>>>>>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>>>>>>>>>>>>>>>> increment\n raise MaxRetryError(_pool, url, error or
>>>>>>>>>>>>>>>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>>> last):\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>>>>>>>>>>>>>>>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>>>>>>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>>>>>>>>>>>>>>>> in request\n resp = self.send(prep, **send_kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>>>>>>>>>>>>>>>> send\n r = adapter.send(request, **kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>>>>>>>>>>>>>>>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>>> last):\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>>> line 138, in _do_create_plugin\n authenticated=False)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>>> 610, in get_discovery\n authenticated=authenticated)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>>>>>>>>>>>>>>>> in get_discovery\n disc = Discover(session, url,
>>>>>>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>>>>>>>>>>>>>>>> in __init__\n authenticated=authenticated)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>>>>>>>>>>>>>>>> in get_version_data\n resp = session.get(url, headers=headers,
>>>>>>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>>>>>>>>>>>>>>>> in get\n return self.request(url, 'GET', **kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>>>>>>>>>>>>>>>> request\n resp = send(**kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>>>>>>>>>>>>>>>> in _send_request\n raise
>>>>>>>>>>>>>>>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>>>>>>>>>>>>>>>> exception connecting to
>>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>>> last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line
>>>>>>>>>>>>>>>>> 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n
>>>>>>>>>>>>>>>>> File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>>>>>>>>>>>>>>> return _run_module_code(code, init_globals, run_name, mod_spec)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>>>>>>>>>>>>>>> mod_name, mod_spec, pkg_name, script_name)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>>>>>>>>>>>>>>>>> run_globals)\n File
>>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>>> line 185, in <module>\n File
>>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>>> line 181, in main\n File
>>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>>>>>>>>>>>>>>>> line 407, in __call__\n File
>>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>>> line 141, in run\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>>>>>>> 517, in search_services\n services = self.list_services()\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>>>>>>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>>>>>>>>>>>>>>>>> File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>>>>>>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>>>>>>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>>>>>>>>>>>>>>>> line 32, in _identity_client\n 'identity', min_version=2,
>>>>>>>>>>>>>>>>> max_version='3.latest')\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>>>>>>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>>>>>>>>>>>>>>>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>>>>>>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>>>>>>>>>>>>>>>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>>>>>>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>>> 271, in get_endpoint_data\n service_catalog =
>>>>>>>>>>>>>>>>> self.get_access(session).service_catalog\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>>> line 206, in get_auth_ref\n self._plugin =
>>>>>>>>>>>>>>>>> self._do_create_plugin(session)\n File
>>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>>> line 161, in _do_create_plugin\n 'auth_url is correct.
>>>>>>>>>>>>>>>>> %s' % e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not
>>>>>>>>>>>>>>>>> find versioned identity endpoints when attempting to authenticate. Please
>>>>>>>>>>>>>>>>> check that your auth_url is correct. SSL exception connecting to
>>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>>> match 'overcloud.example.com'\",),))\n", "module_stdout":
>>>>>>>>>>>>>>>>> "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.609354 |
>>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.271914 | 2.47s
>>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.611094 |
>>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.273659 | 2.47s
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> PLAY RECAP
>>>>>>>>>>>>>>>>> *********************************************************************
>>>>>>>>>>>>>>>>> localhost : ok=0 changed=0
>>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> overcloud-controller-0 : ok=437 changed=104
>>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> overcloud-controller-1 : ok=436 changed=101
>>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> overcloud-controller-2 : ok=431 changed=101
>>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> overcloud-novacompute-0 : ok=345 changed=83
>>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=198 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> undercloud : ok=28 changed=7
>>>>>>>>>>>>>>>>> unreachable=0 failed=1 skipped=3 rescued=0 ignored=0
>>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.647270 |
>>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary Information
>>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.647907 |
>>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks: 1373
>>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> in the deploy.sh:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> openstack overcloud deploy --templates \
>>>>>>>>>>>>>>>>> -r /home/stack/templates/roles_data.yaml \
>>>>>>>>>>>>>>>>> --networks-file
>>>>>>>>>>>>>>>>> /home/stack/templates/custom_network_data.yaml \
>>>>>>>>>>>>>>>>> --vip-file /home/stack/templates/custom_vip_data.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> --baremetal-deployment
>>>>>>>>>>>>>>>>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>>>>>>>>>>>>>>> --network-config \
>>>>>>>>>>>>>>>>> -e /home/stack/templates/environment.yaml \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e /home/stack/templates/ironic-config.yaml \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>>>>>>>>>>>>>>> -e /home/stack/containers-prepare-parameter.yaml
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Addition lines as highlighted in yellow were passed with
>>>>>>>>>>>>>>>>> modifications:
>>>>>>>>>>>>>>>>> tls-endpoints-public-ip.yaml:
>>>>>>>>>>>>>>>>> Passed as is in the defaults.
>>>>>>>>>>>>>>>>> enable-tls.yaml:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>>> # This file was created automatically by the sample
>>>>>>>>>>>>>>>>> environment
>>>>>>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to
>>>>>>>>>>>>>>>>> update it.
>>>>>>>>>>>>>>>>> # Users are recommended to make changes to a copy of the
>>>>>>>>>>>>>>>>> file instead
>>>>>>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>>> # title: Enable SSL on OpenStack Public Endpoints
>>>>>>>>>>>>>>>>> # description: |
>>>>>>>>>>>>>>>>> # Use this environment to pass in certificates for SSL
>>>>>>>>>>>>>>>>> deployments.
>>>>>>>>>>>>>>>>> # For these values to take effect, one of the
>>>>>>>>>>>>>>>>> tls-endpoints-*.yaml
>>>>>>>>>>>>>>>>> # environments must also be used.
>>>>>>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>>>>>>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in
>>>>>>>>>>>>>>>>> Horizon
>>>>>>>>>>>>>>>>> # Type: boolean
>>>>>>>>>>>>>>>>> HorizonSecureCookies: True
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # Specifies the default CA cert to use if TLS is used
>>>>>>>>>>>>>>>>> for services in the public network.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> PublicTLSCAFile:
>>>>>>>>>>>>>>>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # The content of the SSL certificate (without Key) in
>>>>>>>>>>>>>>>>> PEM format.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> SSLCertificate: |
>>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>>> # The content of an SSL intermediate CA certificate in
>>>>>>>>>>>>>>>>> PEM format.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> SSLIntermediateCertificate: ''
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # The content of the SSL Key in PEM format.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> SSLKey: |
>>>>>>>>>>>>>>>>> -----BEGIN PRIVATE KEY-----
>>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>>> -----END PRIVATE KEY-----
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>>>>>>> # Static parameters - these are values that must be
>>>>>>>>>>>>>>>>> # included in the environment but should not be changed.
>>>>>>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>>>>>>> # The filepath of the certificate as it will be stored
>>>>>>>>>>>>>>>>> in the controller.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> DeployedSSLCertificatePath:
>>>>>>>>>>>>>>>>> /etc/pki/tls/private/overcloud_endpoint.pem
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # *********************
>>>>>>>>>>>>>>>>> # End static parameters
>>>>>>>>>>>>>>>>> # *********************
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> inject-trust-anchor.yaml
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>>> # This file was created automatically by the sample
>>>>>>>>>>>>>>>>> environment
>>>>>>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to
>>>>>>>>>>>>>>>>> update it.
>>>>>>>>>>>>>>>>> # Users are recommended to make changes to a copy of the
>>>>>>>>>>>>>>>>> file instead
>>>>>>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>>>>>>>>>>>>>>>> # description: |
>>>>>>>>>>>>>>>>> # When using an SSL certificate signed by a CA that is
>>>>>>>>>>>>>>>>> not in the default
>>>>>>>>>>>>>>>>> # list of CAs, this environment allows adding a custom
>>>>>>>>>>>>>>>>> CA certificate to
>>>>>>>>>>>>>>>>> # the overcloud nodes.
>>>>>>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>>>>>>> # The content of a CA's SSL certificate file in PEM
>>>>>>>>>>>>>>>>> format. This is evaluated on the client side.
>>>>>>>>>>>>>>>>> # Mandatory. This parameter must be set by the user.
>>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> resource_registry:
>>>>>>>>>>>>>>>>> OS::TripleO::NodeTLSCAData:
>>>>>>>>>>>>>>>>> ../../puppet/extraconfig/tls/ca-inject.yaml
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The procedure to create such files was followed using:
>>>>>>>>>>>>>>>>> Deploying with SSL — TripleO 3.0.0 documentation
>>>>>>>>>>>>>>>>> (openstack.org)
>>>>>>>>>>>>>>>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed
>>>>>>>>>>>>>>>>> IP-based certificate, without DNS. *
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Any idea around this error would be of great help.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> skype: lokendrarathour
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> ~ Lokendra
>>>>>>>>>>> skype: lokendrarathour
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> ~ Lokendra
>>>>>>>> skype: lokendrarathour
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> ~ Lokendra
>>>>>> skype: lokendrarathour
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> ~ Lokendra
>>>>> skype: lokendrarathour
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> ~ Lokendra
>>> skype: lokendrarathour
>>>
>>>
>>>
>>
>> --
>> ~ Lokendra
>> skype: lokendrarathour
>>
>>
>>
>>
>
> --
> ~ Lokendra
> skype: lokendrarathour
>
>
>
--
~ Lokendra
skype: lokendrarathour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220802/cf87251e/attachment-0001.htm>
More information about the openstack-discuss
mailing list