[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Lokendra Rathour
lokendrarathour at gmail.com
Fri Jul 8 12:07:35 UTC 2022
Hi Team,
We were trying to install overcloud with SSL enabled for which the UC is
installed, but OC install is getting failed at step 4:
ERROR
:nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
"module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
exact error", "rc": 1}
2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
item={'service_name': 'cinderv3', 'service_type': 'volume'} |
error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
"item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
"cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
available identity versions when contacting
https://[fd00:fd00:fd00:9900::2ef]:13000.
Attempting to parse version from URL.\nTraceback (most recent call last):\n
File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
600, in urlopen\n chunked=chunked)\n File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
in _make_request\n self._validate_conn(conn)\n File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
in _validate_conn\n conn.connect()\n File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
connect\n _match_hostname(cert, self.assert_hostname or
server_hostname)\n File
\"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
_match_hostname\n match_hostname(cert, asserted_hostname)\n File
\"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
(hostname, dnsnames[0]))\nssl.CertificateError: hostname
'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
handling of the above exception, another exception occurred:\n\nTraceback
(most recent call last):\n File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
send\n timeout=timeout\n File
\"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
in urlopen\n _stacktrace=sys.exc_info()[2])\n File
\"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
increment\n raise MaxRetryError(_pool, url, error or
ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
in _send_request\n resp = self.session.request(method, url, **kwargs)\n
File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
in request\n resp = self.send(prep, **send_kwargs)\n File
\"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
send\n r = adapter.send(request, **kwargs)\n File
\"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 138, in _do_create_plugin\n authenticated=False)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
610, in get_discovery\n authenticated=authenticated)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
in get_discovery\n disc = Discover(session, url,
authenticated=authenticated)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
in __init__\n authenticated=authenticated)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
in get_version_data\n resp = session.get(url, headers=headers,
authenticated=authenticated)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
in get\n return self.request(url, 'GET', **kwargs)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
request\n resp = send(**kwargs)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
in _send_request\n raise
exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
another exception occurred:\n\nTraceback (most recent call last):\n File
\"<stdin>\", line 102, in <module>\n File \"<stdin>\", line 94, in
_ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n File
\"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return
_run_module_code(code, init_globals, run_name, mod_spec)\n File
\"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
mod_name, mod_spec, pkg_name, script_name)\n File
\"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
run_globals)\n File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 185, in <module>\n File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 181, in main\n File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
line 407, in __call__\n File
\"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
line 141, in run\n File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
517, in search_services\n services = self.list_services()\n File
\"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
492, in list_services\n if self._is_client_version('identity', 2):\n
File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 460, in _is_client_version\n client = getattr(self, client_name)\n
File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
line 32, in _identity_client\n 'identity', min_version=2,
max_version='3.latest')\n File
\"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
get_endpoint\n return self.session.get_endpoint(auth or self.auth,
**kwargs)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
380, in get_endpoint\n allow_version_hack=allow_version_hack,
**kwargs)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
271, in get_endpoint_data\n service_catalog =
self.get_access(session).service_catalog\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 206, in get_auth_ref\n self._plugin =
self._do_create_plugin(session)\n File
\"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
line 161, in _do_create_plugin\n 'auth_url is correct. %s' %
e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
versioned identity endpoints when attempting to authenticate. Please check
that your auth_url is correct. SSL exception connecting to
https://[fd00:fd00:fd00:9900::2ef]:13000:
HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
retries exceeded with url: / (Caused by
SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
"MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.271914 | 2.47s
2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
0:11:01.273659 | 2.47s
PLAY RECAP
*********************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=0
skipped=2 rescued=0 ignored=0
overcloud-controller-0 : ok=437 changed=104 unreachable=0 failed=0
skipped=214 rescued=0 ignored=0
overcloud-controller-1 : ok=436 changed=101 unreachable=0 failed=0
skipped=214 rescued=0 ignored=0
overcloud-controller-2 : ok=431 changed=101 unreachable=0 failed=0
skipped=214 rescued=0 ignored=0
overcloud-novacompute-0 : ok=345 changed=83 unreachable=0 failed=0
skipped=198 rescued=0 ignored=0
undercloud : ok=28 changed=7 unreachable=0 failed=1
skipped=3 rescued=0 ignored=0
2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks:
1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
in the deploy.sh:
openstack overcloud deploy --templates \
-r /home/stack/templates/roles_data.yaml \
--networks-file /home/stack/templates/custom_network_data.yaml \
--vip-file /home/stack/templates/custom_vip_data.yaml \
--baremetal-deployment
/home/stack/templates/overcloud-baremetal-deploy.yaml \
--network-config \
-e /home/stack/templates/environment.yaml \
-e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
\
-e /home/stack/templates/ironic-config.yaml \
-e
/usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
-e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
\
-e
/usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml
\
-e /home/stack/containers-prepare-parameter.yaml
Addition lines as highlighted in yellow were passed with modifications:
tls-endpoints-public-ip.yaml:
Passed as is in the defaults.
enable-tls.yaml:
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable SSL on OpenStack Public Endpoints
# description: |
# Use this environment to pass in certificates for SSL deployments.
# For these values to take effect, one of the tls-endpoints-*.yaml
# environments must also be used.
parameter_defaults:
# Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
# Type: boolean
HorizonSecureCookies: True
# Specifies the default CA cert to use if TLS is used for services in the
public network.
# Type: string
PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
# The content of the SSL certificate (without Key) in PEM format.
# Type: string
SSLRootCertificate: |
-----BEGIN CERTIFICATE-----
----*** CERTICATELINES TRIMMED **
-----END CERTIFICATE-----
SSLCertificate: |
-----BEGIN CERTIFICATE-----
----*** CERTICATELINES TRIMMED **
-----END CERTIFICATE-----
# The content of an SSL intermediate CA certificate in PEM format.
# Type: string
SSLIntermediateCertificate: ''
# The content of the SSL Key in PEM format.
# Type: string
SSLKey: |
-----BEGIN PRIVATE KEY-----
----*** CERTICATELINES TRIMMED **
-----END PRIVATE KEY-----
# ******************************************************
# Static parameters - these are values that must be
# included in the environment but should not be changed.
# ******************************************************
# The filepath of the certificate as it will be stored in the controller.
# Type: string
DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
# *********************
# End static parameters
# *********************
inject-trust-anchor.yaml
# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Inject SSL Trust Anchor on Overcloud Nodes
# description: |
# When using an SSL certificate signed by a CA that is not in the default
# list of CAs, this environment allows adding a custom CA certificate to
# the overcloud nodes.
parameter_defaults:
# The content of a CA's SSL certificate file in PEM format. This is
evaluated on the client side.
# Mandatory. This parameter must be set by the user.
# Type: string
SSLRootCertificate: |
-----BEGIN CERTIFICATE-----
----*** CERTICATELINES TRIMMED **
-----END CERTIFICATE-----
resource_registry:
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
The procedure to create such files was followed using:
Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
<https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
certificate, without DNS. *
Any idea around this error would be of great help.
--
skype: lokendrarathour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220708/d1da82e5/attachment-0001.htm>
More information about the openstack-discuss
mailing list