[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Swogat Pradhan
swogatpradhan22 at gmail.com
Fri Jul 8 12:31:33 UTC 2022
What is the domain name you have specified in the undercloud.conf file?
And what is the fqdn name used for the generation of the SSL cert?
On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <lokendrarathour at gmail.com>
wrote:
> Hi Team,
> We were trying to install overcloud with SSL enabled for which the UC is
> installed, but OC install is getting failed at step 4:
>
> ERROR
> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
> exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
> "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
> exact error", "rc": 1}
> 2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
> FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
> item={'service_name': 'cinderv3', 'service_type': 'volume'} |
> error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
> "item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
> "cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
> available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
> Attempting to parse version from URL.\nTraceback (most recent call last):\n
> File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
> 600, in urlopen\n chunked=chunked)\n File
> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
> in _make_request\n self._validate_conn(conn)\n File
> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
> in _validate_conn\n conn.connect()\n File
> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
> connect\n _match_hostname(cert, self.assert_hostname or
> server_hostname)\n File
> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
> handling of the above exception, another exception occurred:\n\nTraceback
> (most recent call last):\n File
> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
> send\n timeout=timeout\n File
> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
> increment\n raise MaxRetryError(_pool, url, error or
> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
> retries exceeded with url: / (Caused by
> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
> another exception occurred:\n\nTraceback (most recent call last):\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
> in request\n resp = self.send(prep, **send_kwargs)\n File
> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
> send\n r = adapter.send(request, **kwargs)\n File
> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
> retries exceeded with url: / (Caused by
> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
> another exception occurred:\n\nTraceback (most recent call last):\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
> line 138, in _do_create_plugin\n authenticated=False)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
> 610, in get_discovery\n authenticated=authenticated)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
> in get_discovery\n disc = Discover(session, url,
> authenticated=authenticated)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
> in __init__\n authenticated=authenticated)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
> in get_version_data\n resp = session.get(url, headers=headers,
> authenticated=authenticated)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
> in get\n return self.request(url, 'GET', **kwargs)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
> request\n resp = send(**kwargs)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
> in _send_request\n raise
> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
> retries exceeded with url: / (Caused by
> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
> another exception occurred:\n\nTraceback (most recent call last):\n File
> \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line 94, in
> _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n File
> \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return
> _run_module_code(code, init_globals, run_name, mod_spec)\n File
> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
> mod_name, mod_spec, pkg_name, script_name)\n File
> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
> run_globals)\n File
> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
> line 185, in <module>\n File
> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
> line 181, in main\n File
> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
> line 407, in __call__\n File
> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
> line 141, in run\n File
> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
> 517, in search_services\n services = self.list_services()\n File
> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
> 492, in list_services\n if self._is_client_version('identity', 2):\n
> File
> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
> line 460, in _is_client_version\n client = getattr(self, client_name)\n
> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
> line 32, in _identity_client\n 'identity', min_version=2,
> max_version='3.latest')\n File
> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
> **kwargs)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
> **kwargs)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
> 271, in get_endpoint_data\n service_catalog =
> self.get_access(session).service_catalog\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
> line 206, in get_auth_ref\n self._plugin =
> self._do_create_plugin(session)\n File
> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
> line 161, in _do_create_plugin\n 'auth_url is correct. %s' %
> e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
> versioned identity endpoints when attempting to authenticate. Please check
> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
> retries exceeded with url: / (Caused by
> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
> match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
> 2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
> 0:11:01.271914 | 2.47s
> 2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
> 0:11:01.273659 | 2.47s
>
> PLAY RECAP
> *********************************************************************
> localhost : ok=0 changed=0 unreachable=0
> failed=0 skipped=2 rescued=0 ignored=0
> overcloud-controller-0 : ok=437 changed=104 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-controller-1 : ok=436 changed=101 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-controller-2 : ok=431 changed=101 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-novacompute-0 : ok=345 changed=83 unreachable=0
> failed=0 skipped=198 rescued=0 ignored=0
> undercloud : ok=28 changed=7 unreachable=0
> failed=1 skipped=3 rescued=0 ignored=0
> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
> Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks:
> 1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> in the deploy.sh:
>
> openstack overcloud deploy --templates \
> -r /home/stack/templates/roles_data.yaml \
> --networks-file /home/stack/templates/custom_network_data.yaml \
> --vip-file /home/stack/templates/custom_vip_data.yaml \
> --baremetal-deployment
> /home/stack/templates/overcloud-baremetal-deploy.yaml \
> --network-config \
> -e /home/stack/templates/environment.yaml \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
> \
> -e /home/stack/templates/ironic-config.yaml \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
> \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
> -e
> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
> -e /home/stack/containers-prepare-parameter.yaml
>
> Addition lines as highlighted in yellow were passed with modifications:
> tls-endpoints-public-ip.yaml:
> Passed as is in the defaults.
> enable-tls.yaml:
>
> # *******************************************************************
> # This file was created automatically by the sample environment
> # generator. Developers should use `tox -e genconfig` to update it.
> # Users are recommended to make changes to a copy of the file instead
> # of the original, if any customizations are needed.
> # *******************************************************************
> # title: Enable SSL on OpenStack Public Endpoints
> # description: |
> # Use this environment to pass in certificates for SSL deployments.
> # For these values to take effect, one of the tls-endpoints-*.yaml
> # environments must also be used.
> parameter_defaults:
> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
> # Type: boolean
> HorizonSecureCookies: True
>
> # Specifies the default CA cert to use if TLS is used for services in
> the public network.
> # Type: string
> PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>
> # The content of the SSL certificate (without Key) in PEM format.
> # Type: string
> SSLRootCertificate: |
> -----BEGIN CERTIFICATE-----
> ----*** CERTICATELINES TRIMMED **
> -----END CERTIFICATE-----
>
> SSLCertificate: |
> -----BEGIN CERTIFICATE-----
> ----*** CERTICATELINES TRIMMED **
> -----END CERTIFICATE-----
> # The content of an SSL intermediate CA certificate in PEM format.
> # Type: string
> SSLIntermediateCertificate: ''
>
> # The content of the SSL Key in PEM format.
> # Type: string
> SSLKey: |
> -----BEGIN PRIVATE KEY-----
> ----*** CERTICATELINES TRIMMED **
> -----END PRIVATE KEY-----
>
> # ******************************************************
> # Static parameters - these are values that must be
> # included in the environment but should not be changed.
> # ******************************************************
> # The filepath of the certificate as it will be stored in the controller.
> # Type: string
> DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
>
> # *********************
> # End static parameters
> # *********************
>
> inject-trust-anchor.yaml
>
> # *******************************************************************
> # This file was created automatically by the sample environment
> # generator. Developers should use `tox -e genconfig` to update it.
> # Users are recommended to make changes to a copy of the file instead
> # of the original, if any customizations are needed.
> # *******************************************************************
> # title: Inject SSL Trust Anchor on Overcloud Nodes
> # description: |
> # When using an SSL certificate signed by a CA that is not in the default
> # list of CAs, this environment allows adding a custom CA certificate to
> # the overcloud nodes.
> parameter_defaults:
> # The content of a CA's SSL certificate file in PEM format. This is
> evaluated on the client side.
> # Mandatory. This parameter must be set by the user.
> # Type: string
> SSLRootCertificate: |
> -----BEGIN CERTIFICATE-----
> ----*** CERTICATELINES TRIMMED **
> -----END CERTIFICATE-----
>
> resource_registry:
> OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
>
>
>
>
> The procedure to create such files was followed using:
> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>
> Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
> certificate, without DNS. *
>
> Any idea around this error would be of great help.
>
> --
> skype: lokendrarathour
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220708/25ff23e3/attachment-0001.htm>
More information about the openstack-discuss
mailing list