[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Brendan Shephard
bshephar at redhat.com
Fri Jul 8 21:21:11 UTC 2022
Hey,
It looks like you have set the dns name on the SSL certificate to
overcloud.example.com instead of the IP address. So the SSL cert validation
is failing.
Caused by SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef'
doesn't match 'overcloud.example.com'\",),))
Note point number 1 here:
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html#certificate-and-public-vip-configuration
It's actually worded poorly. I don't believe IP's can be set for the common
name, and we need to use subjectAltName instead. See below:
So, when you create this file:
[req]default_bits = 2048prompt = nodefault_md =
sha256distinguished_name =
dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.comCN=openstack.example.com
Remove the CN= part from that file:
[req]default_bits = 2048prompt = nodefault_md =
sha256distinguished_name =
dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.com
Then in the v3.ext file set IP.1=fd00:fd00:fd00:9900::2ef like so:
authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage =
digitalSignature, nonRepudiation, keyEncipherment,
dataEnciphermentsubjectAltName =
@alt_names[alt_names]IP.1=fd00:fd00:fd00:9900::2ef
On Fri, 8 Jul 2022 at 10:31 pm, Swogat Pradhan <swogatpradhan22 at gmail.com>
wrote:
> What is the domain name you have specified in the undercloud.conf file?
> And what is the fqdn name used for the generation of the SSL cert?
>
> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <lokendrarathour at gmail.com>
> wrote:
>
>> Hi Team,
>> We were trying to install overcloud with SSL enabled for which the UC is
>> installed, but OC install is getting failed at step 4:
>>
>> ERROR
>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
>> exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
>> "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
>> exact error", "rc": 1}
>> 2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>> FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
>> item={'service_name': 'cinderv3', 'service_type': 'volume'} |
>> error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
>> "item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
>> "cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
>> available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
>> Attempting to parse version from URL.\nTraceback (most recent call last):\n
>> File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
>> 600, in urlopen\n chunked=chunked)\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>> in _make_request\n self._validate_conn(conn)\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>> in _validate_conn\n conn.connect()\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>> connect\n _match_hostname(cert, self.assert_hostname or
>> server_hostname)\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>> handling of the above exception, another exception occurred:\n\nTraceback
>> (most recent call last):\n File
>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>> send\n timeout=timeout\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>> increment\n raise MaxRetryError(_pool, url, error or
>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>> retries exceeded with url: / (Caused by
>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
>> another exception occurred:\n\nTraceback (most recent call last):\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>> in request\n resp = self.send(prep, **send_kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>> send\n r = adapter.send(request, **kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>> retries exceeded with url: / (Caused by
>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
>> another exception occurred:\n\nTraceback (most recent call last):\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>> line 138, in _do_create_plugin\n authenticated=False)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>> 610, in get_discovery\n authenticated=authenticated)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>> in get_discovery\n disc = Discover(session, url,
>> authenticated=authenticated)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>> in __init__\n authenticated=authenticated)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>> in get_version_data\n resp = session.get(url, headers=headers,
>> authenticated=authenticated)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>> in get\n return self.request(url, 'GET', **kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>> request\n resp = send(**kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>> in _send_request\n raise
>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>> retries exceeded with url: / (Caused by
>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>> match 'undercloud.com'\",),))\n\nDuring handling of the above exception,
>> another exception occurred:\n\nTraceback (most recent call last):\n File
>> \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line 94, in
>> _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n File
>> \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return
>> _run_module_code(code, init_globals, run_name, mod_spec)\n File
>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>> mod_name, mod_spec, pkg_name, script_name)\n File
>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>> run_globals)\n File
>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>> line 185, in <module>\n File
>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>> line 181, in main\n File
>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>> line 407, in __call__\n File
>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>> line 141, in run\n File
>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>> 517, in search_services\n services = self.list_services()\n File
>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>> File
>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>> line 32, in _identity_client\n 'identity', min_version=2,
>> max_version='3.latest')\n File
>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>> **kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>> **kwargs)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>> 271, in get_endpoint_data\n service_catalog =
>> self.get_access(session).service_catalog\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>> line 206, in get_auth_ref\n self._plugin =
>> self._do_create_plugin(session)\n File
>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>> line 161, in _do_create_plugin\n 'auth_url is correct. %s' %
>> e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
>> versioned identity endpoints when attempting to authenticate. Please check
>> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>> retries exceeded with url: / (Caused by
>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>> match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
>> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>> 2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>> 0:11:01.271914 | 2.47s
>> 2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>> 0:11:01.273659 | 2.47s
>>
>> PLAY RECAP
>> *********************************************************************
>> localhost : ok=0 changed=0 unreachable=0
>> failed=0 skipped=2 rescued=0 ignored=0
>> overcloud-controller-0 : ok=437 changed=104 unreachable=0
>> failed=0 skipped=214 rescued=0 ignored=0
>> overcloud-controller-1 : ok=436 changed=101 unreachable=0
>> failed=0 skipped=214 rescued=0 ignored=0
>> overcloud-controller-2 : ok=431 changed=101 unreachable=0
>> failed=0 skipped=214 rescued=0 ignored=0
>> overcloud-novacompute-0 : ok=345 changed=83 unreachable=0
>> failed=0 skipped=198 rescued=0 ignored=0
>> undercloud : ok=28 changed=7 unreachable=0
>> failed=1 skipped=3 rescued=0 ignored=0
>> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
>> Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total
>> Tasks: 1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> in the deploy.sh:
>>
>> openstack overcloud deploy --templates \
>> -r /home/stack/templates/roles_data.yaml \
>> --networks-file /home/stack/templates/custom_network_data.yaml \
>> --vip-file /home/stack/templates/custom_vip_data.yaml \
>> --baremetal-deployment
>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>> --network-config \
>> -e /home/stack/templates/environment.yaml \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>> \
>> -e /home/stack/templates/ironic-config.yaml \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>> \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>> -e
>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>> -e /home/stack/containers-prepare-parameter.yaml
>>
>> Addition lines as highlighted in yellow were passed with modifications:
>> tls-endpoints-public-ip.yaml:
>> Passed as is in the defaults.
>> enable-tls.yaml:
>>
>> # *******************************************************************
>> # This file was created automatically by the sample environment
>> # generator. Developers should use `tox -e genconfig` to update it.
>> # Users are recommended to make changes to a copy of the file instead
>> # of the original, if any customizations are needed.
>> # *******************************************************************
>> # title: Enable SSL on OpenStack Public Endpoints
>> # description: |
>> # Use this environment to pass in certificates for SSL deployments.
>> # For these values to take effect, one of the tls-endpoints-*.yaml
>> # environments must also be used.
>> parameter_defaults:
>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
>> # Type: boolean
>> HorizonSecureCookies: True
>>
>> # Specifies the default CA cert to use if TLS is used for services in
>> the public network.
>> # Type: string
>> PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>
>> # The content of the SSL certificate (without Key) in PEM format.
>> # Type: string
>> SSLRootCertificate: |
>> -----BEGIN CERTIFICATE-----
>> ----*** CERTICATELINES TRIMMED **
>> -----END CERTIFICATE-----
>>
>> SSLCertificate: |
>> -----BEGIN CERTIFICATE-----
>> ----*** CERTICATELINES TRIMMED **
>> -----END CERTIFICATE-----
>> # The content of an SSL intermediate CA certificate in PEM format.
>> # Type: string
>> SSLIntermediateCertificate: ''
>>
>> # The content of the SSL Key in PEM format.
>> # Type: string
>> SSLKey: |
>> -----BEGIN PRIVATE KEY-----
>> ----*** CERTICATELINES TRIMMED **
>> -----END PRIVATE KEY-----
>>
>> # ******************************************************
>> # Static parameters - these are values that must be
>> # included in the environment but should not be changed.
>> # ******************************************************
>> # The filepath of the certificate as it will be stored in the
>> controller.
>> # Type: string
>> DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
>>
>> # *********************
>> # End static parameters
>> # *********************
>>
>> inject-trust-anchor.yaml
>>
>> # *******************************************************************
>> # This file was created automatically by the sample environment
>> # generator. Developers should use `tox -e genconfig` to update it.
>> # Users are recommended to make changes to a copy of the file instead
>> # of the original, if any customizations are needed.
>> # *******************************************************************
>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>> # description: |
>> # When using an SSL certificate signed by a CA that is not in the
>> default
>> # list of CAs, this environment allows adding a custom CA certificate to
>> # the overcloud nodes.
>> parameter_defaults:
>> # The content of a CA's SSL certificate file in PEM format. This is
>> evaluated on the client side.
>> # Mandatory. This parameter must be set by the user.
>> # Type: string
>> SSLRootCertificate: |
>> -----BEGIN CERTIFICATE-----
>> ----*** CERTICATELINES TRIMMED **
>> -----END CERTIFICATE-----
>>
>> resource_registry:
>> OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
>>
>>
>>
>>
>> The procedure to create such files was followed using:
>> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>
>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
>> certificate, without DNS. *
>>
>> Any idea around this error would be of great help.
>>
>> --
>> skype: lokendrarathour
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220709/63651daa/attachment-0001.htm>
More information about the openstack-discuss
mailing list