[Triple0 - Wallaby] Overcloud deployment getting failed with SSL

Lokendra Rathour lokendrarathour at gmail.com
Sat Jul 9 04:29:41 UTC 2022


Thanks Brandon for your input.
We have this IP as stated getting allocated.
Maybe we can pass domain name to get this more predictable.
But in that case also we would need to do the same way as you suggest ?
Will try your and Swogat's suggestions.

Best Regards,
Lokendra

On Sat, 9 Jul 2022, 02:51 Brendan Shephard, <bshephar at redhat.com> wrote:

> Hey,
>
> It looks like you have set the dns name on the SSL certificate to
> overcloud.example.com instead of the IP address. So the SSL cert
> validation is failing.
>
> Caused by SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef'
> doesn't match 'overcloud.example.com'\",),))
>
> Note point number 1 here:
>
> https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html#certificate-and-public-vip-configuration
>
> It's actually worded poorly. I don't believe IP's can be set for the
> common name, and we need to use subjectAltName instead. See below:
>
> So, when you create this file:
>
> [req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.comCN=openstack.example.com
>
>
> Remove the CN= part from that file:
>
> [req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.com
>
>
> Then in the v3.ext file set IP.1=fd00:fd00:fd00:9900::2ef like so:
>
> authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]IP.1=fd00:fd00:fd00:9900::2ef
>
>
>
>
> On Fri, 8 Jul 2022 at 10:31 pm, Swogat Pradhan <swogatpradhan22 at gmail.com>
> wrote:
>
>> What is the domain name you have specified in the undercloud.conf file?
>> And what is the fqdn name used for the generation of the SSL cert?
>>
>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <lokendrarathour at gmail.com>
>> wrote:
>>
>>> Hi Team,
>>> We were trying to install overcloud with SSL enabled for which the UC is
>>> installed, but OC install is getting failed at step 4:
>>>
>>> ERROR
>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
>>> exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
>>> "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
>>> exact error", "rc": 1}
>>> 2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>  FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
>>> item={'service_name': 'cinderv3', 'service_type': 'volume'} |
>>> error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
>>> "item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
>>> "cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
>>> available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
>>> Attempting to parse version from URL.\nTraceback (most recent call last):\n
>>>  File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
>>> 600, in urlopen\n    chunked=chunked)\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>> in _make_request\n    self._validate_conn(conn)\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>> in _validate_conn\n    conn.connect()\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>> connect\n    _match_hostname(cert, self.assert_hostname or
>>> server_hostname)\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>> _match_hostname\n    match_hostname(cert, asserted_hostname)\n  File
>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n    %
>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>> handling of the above exception, another exception occurred:\n\nTraceback
>>> (most recent call last):\n  File
>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>> send\n    timeout=timeout\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>> in urlopen\n    _stacktrace=sys.exc_info()[2])\n  File
>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>> increment\n    raise MaxRetryError(_pool, url, error or
>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>> retries exceeded with url: / (Caused by
>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>> exception, another exception occurred:\n\nTraceback (most recent call
>>> last):\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>> in _send_request\n    resp = self.session.request(method, url, **kwargs)\n
>>>  File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>> in request\n    resp = self.send(prep, **send_kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>> send\n    r = adapter.send(request, **kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>> send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>> retries exceeded with url: / (Caused by
>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>> exception, another exception occurred:\n\nTraceback (most recent call
>>> last):\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>> line 138, in _do_create_plugin\n    authenticated=False)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>> 610, in get_discovery\n    authenticated=authenticated)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>> in get_discovery\n    disc = Discover(session, url,
>>> authenticated=authenticated)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>> in __init__\n    authenticated=authenticated)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>> in get_version_data\n    resp = session.get(url, headers=headers,
>>> authenticated=authenticated)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>> in get\n    return self.request(url, 'GET', **kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>> request\n    resp = send(**kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>> in _send_request\n    raise
>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>> retries exceeded with url: / (Caused by
>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>> exception, another exception occurred:\n\nTraceback (most recent call
>>> last):\n  File \"<stdin>\", line 102, in <module>\n  File \"<stdin>\", line
>>> 94, in _ansiballz_main\n  File \"<stdin>\", line 40, in invoke_module\n
>>>  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>  return _run_module_code(code, init_globals, run_name, mod_spec)\n  File
>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>  mod_name, mod_spec, pkg_name, script_name)\n  File
>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code,
>>> run_globals)\n  File
>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>> line 185, in <module>\n  File
>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>> line 181, in main\n  File
>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>> line 407, in __call__\n  File
>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>> line 141, in run\n  File
>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>> 517, in search_services\n    services = self.list_services()\n  File
>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>> 492, in list_services\n    if self._is_client_version('identity', 2):\n
>>>  File
>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>> line 460, in _is_client_version\n    client = getattr(self, client_name)\n
>>>  File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>> line 32, in _identity_client\n    'identity', min_version=2,
>>> max_version='3.latest')\n  File
>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>> line 407, in _get_versioned_client\n    if adapter.get_endpoint():\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>> get_endpoint\n    return self.session.get_endpoint(auth or self.auth,
>>> **kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>> in get_endpoint\n    return auth.get_endpoint(self, **kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>> 380, in get_endpoint\n    allow_version_hack=allow_version_hack,
>>> **kwargs)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>> 271, in get_endpoint_data\n    service_catalog =
>>> self.get_access(session).service_catalog\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>> 134, in get_access\n    self.auth_ref = self.get_auth_ref(session)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>> line 206, in get_auth_ref\n    self._plugin =
>>> self._do_create_plugin(session)\n  File
>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>> line 161, in _do_create_plugin\n    'auth_url is correct. %s' %
>>> e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
>>> versioned identity endpoints when attempting to authenticate. Please check
>>> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>> retries exceeded with url: / (Caused by
>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>> match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
>>> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>> 2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>> 0:11:01.271914 | 2.47s
>>> 2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>> 0:11:01.273659 | 2.47s
>>>
>>> PLAY RECAP
>>> *********************************************************************
>>> localhost                  : ok=0    changed=0    unreachable=0
>>>  failed=0    skipped=2    rescued=0    ignored=0
>>> overcloud-controller-0     : ok=437  changed=104  unreachable=0
>>>  failed=0    skipped=214  rescued=0    ignored=0
>>> overcloud-controller-1     : ok=436  changed=101  unreachable=0
>>>  failed=0    skipped=214  rescued=0    ignored=0
>>> overcloud-controller-2     : ok=431  changed=101  unreachable=0
>>>  failed=0    skipped=214  rescued=0    ignored=0
>>> overcloud-novacompute-0    : ok=345  changed=83   unreachable=0
>>>  failed=0    skipped=198  rescued=0    ignored=0
>>> undercloud                 : ok=28   changed=7    unreachable=0
>>>  failed=1    skipped=3    rescued=0    ignored=0
>>> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
>>> Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total
>>> Tasks: 1373       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>>
>>> in the deploy.sh:
>>>
>>> openstack overcloud deploy --templates \
>>>     -r /home/stack/templates/roles_data.yaml \
>>>     --networks-file /home/stack/templates/custom_network_data.yaml \
>>>     --vip-file  /home/stack/templates/custom_vip_data.yaml \
>>>     --baremetal-deployment
>>>  /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>     --network-config \
>>>     -e /home/stack/templates/environment.yaml \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>> \
>>>     -e /home/stack/templates/ironic-config.yaml \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>> \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>     -e
>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>     -e /home/stack/containers-prepare-parameter.yaml
>>>
>>> Addition lines as highlighted in yellow were passed with modifications:
>>> tls-endpoints-public-ip.yaml:
>>> Passed as is in the defaults.
>>> enable-tls.yaml:
>>>
>>> # *******************************************************************
>>> # This file was created automatically by the sample environment
>>> # generator. Developers should use `tox -e genconfig` to update it.
>>> # Users are recommended to make changes to a copy of the file instead
>>> # of the original, if any customizations are needed.
>>> # *******************************************************************
>>> # title: Enable SSL on OpenStack Public Endpoints
>>> # description: |
>>> #   Use this environment to pass in certificates for SSL deployments.
>>> #   For these values to take effect, one of the tls-endpoints-*.yaml
>>> #   environments must also be used.
>>> parameter_defaults:
>>>   # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
>>>   # Type: boolean
>>>   HorizonSecureCookies: True
>>>
>>>   # Specifies the default CA cert to use if TLS is used for services in
>>> the public network.
>>>   # Type: string
>>>   PublicTLSCAFile:
>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>
>>>   # The content of the SSL certificate (without Key) in PEM format.
>>>   # Type: string
>>>   SSLRootCertificate: |
>>>     -----BEGIN CERTIFICATE-----
>>>     ----*** CERTICATELINES TRIMMED **
>>>     -----END CERTIFICATE-----
>>>
>>>   SSLCertificate: |
>>>     -----BEGIN CERTIFICATE-----
>>>      ----*** CERTICATELINES TRIMMED **
>>>     -----END CERTIFICATE-----
>>>   # The content of an SSL intermediate CA certificate in PEM format.
>>>   # Type: string
>>>   SSLIntermediateCertificate: ''
>>>
>>>   # The content of the SSL Key in PEM format.
>>>   # Type: string
>>>   SSLKey: |
>>>     -----BEGIN PRIVATE KEY-----
>>>      ----*** CERTICATELINES TRIMMED **
>>>     -----END PRIVATE KEY-----
>>>
>>>   # ******************************************************
>>>   # Static parameters - these are values that must be
>>>   # included in the environment but should not be changed.
>>>   # ******************************************************
>>>   # The filepath of the certificate as it will be stored in the
>>> controller.
>>>   # Type: string
>>>   DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
>>>
>>>   # *********************
>>>   # End static parameters
>>>   # *********************
>>>
>>> inject-trust-anchor.yaml
>>>
>>> # *******************************************************************
>>> # This file was created automatically by the sample environment
>>> # generator. Developers should use `tox -e genconfig` to update it.
>>> # Users are recommended to make changes to a copy of the file instead
>>> # of the original, if any customizations are needed.
>>> # *******************************************************************
>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>> # description: |
>>> #   When using an SSL certificate signed by a CA that is not in the
>>> default
>>> #   list of CAs, this environment allows adding a custom CA certificate
>>> to
>>> #   the overcloud nodes.
>>> parameter_defaults:
>>>   # The content of a CA's SSL certificate file in PEM format. This is
>>> evaluated on the client side.
>>>   # Mandatory. This parameter must be set by the user.
>>>   # Type: string
>>>   SSLRootCertificate: |
>>>     -----BEGIN CERTIFICATE-----
>>>    ----*** CERTICATELINES TRIMMED **
>>>     -----END CERTIFICATE-----
>>>
>>> resource_registry:
>>>   OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
>>>
>>>
>>>
>>>
>>> The procedure to create such files was followed using:
>>> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>
>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
>>> certificate, without DNS. *
>>>
>>> Any idea around this error would be of great help.
>>>
>>> --
>>> skype: lokendrarathour
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220709/1a7c58f4/attachment-0001.htm>


More information about the openstack-discuss mailing list