[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Brendan Shephard
bshephar at redhat.com
Sat Jul 9 05:46:00 UTC 2022
Hey,
I personally use DNS names. I updated that documentation, so that is
essentially exactly what I'm using in my environment. I just pasted in
exactly what I have in my files and changed the domain names to example.com.
So what we have in that documentation should work with DNS names.
I also made a video about this:
https://www.youtube.com/watch?v=FmO6n1fUiYU
I believe the only difference when using IP's instead of domain names is
that you can't use the common name (CN) field.
Brendan Shephard
Software Engineer
Red Hat APAC <https://www.redhat.com>
193 N Quay
Brisbane City QLD 4000
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
<https://redhat.com/summit>
On Sat, Jul 9, 2022 at 2:30 PM Lokendra Rathour <lokendrarathour at gmail.com>
wrote:
> Thanks Brandon for your input.
> We have this IP as stated getting allocated.
> Maybe we can pass domain name to get this more predictable.
> But in that case also we would need to do the same way as you suggest ?
> Will try your and Swogat's suggestions.
>
> Best Regards,
> Lokendra
>
> On Sat, 9 Jul 2022, 02:51 Brendan Shephard, <bshephar at redhat.com> wrote:
>
>> Hey,
>>
>> It looks like you have set the dns name on the SSL certificate to
>> overcloud.example.com instead of the IP address. So the SSL cert
>> validation is failing.
>>
>> Caused by SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef'
>> doesn't match 'overcloud.example.com'\",),))
>>
>> Note point number 1 here:
>>
>> https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html#certificate-and-public-vip-configuration
>>
>> It's actually worded poorly. I don't believe IP's can be set for the
>> common name, and we need to use subjectAltName instead. See below:
>>
>> So, when you create this file:
>>
>> [req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.comCN=openstack.example.com
>>
>>
>> Remove the CN= part from that file:
>>
>> [req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn[dn]C=AUST=QueenslandL=BrisbaneO=your-orgOU=adminemailAddress=me at example.com
>>
>>
>> Then in the v3.ext file set IP.1=fd00:fd00:fd00:9900::2ef like so:
>>
>> authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]IP.1=fd00:fd00:fd00:9900::2ef
>>
>>
>>
>>
>> On Fri, 8 Jul 2022 at 10:31 pm, Swogat Pradhan <swogatpradhan22 at gmail.com>
>> wrote:
>>
>>> What is the domain name you have specified in the undercloud.conf file?
>>> And what is the fqdn name used for the generation of the SSL cert?
>>>
>>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <lokendrarathour at gmail.com>
>>> wrote:
>>>
>>>> Hi Team,
>>>> We were trying to install overcloud with SSL enabled for which the UC
>>>> is installed, but OC install is getting failed at step 4:
>>>>
>>>> ERROR
>>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max retries
>>>> exceeded with url: / (Caused by SSLError(CertificateError(\"hostname
>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\",),))\n",
>>>> "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the
>>>> exact error", "rc": 1}
>>>> 2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>> FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>> item={'service_name': 'cinderv3', 'service_type': 'volume'} |
>>>> error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
>>>> "item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
>>>> "cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
>>>> available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
>>>> Attempting to parse version from URL.\nTraceback (most recent call last):\n
>>>> File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
>>>> 600, in urlopen\n chunked=chunked)\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>>> in _make_request\n self._validate_conn(conn)\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>>> in _validate_conn\n conn.connect()\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>>> connect\n _match_hostname(cert, self.assert_hostname or
>>>> server_hostname)\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>>> handling of the above exception, another exception occurred:\n\nTraceback
>>>> (most recent call last):\n File
>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>>> send\n timeout=timeout\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>>> increment\n raise MaxRetryError(_pool, url, error or
>>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>> retries exceeded with url: / (Caused by
>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>> last):\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>>>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>>> in request\n resp = self.send(prep, **send_kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>>> send\n r = adapter.send(request, **kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>> retries exceeded with url: / (Caused by
>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>> last):\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>> line 138, in _do_create_plugin\n authenticated=False)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>> 610, in get_discovery\n authenticated=authenticated)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>>> in get_discovery\n disc = Discover(session, url,
>>>> authenticated=authenticated)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>>> in __init__\n authenticated=authenticated)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>>> in get_version_data\n resp = session.get(url, headers=headers,
>>>> authenticated=authenticated)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>>> in get\n return self.request(url, 'GET', **kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>>> request\n resp = send(**kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>>> in _send_request\n raise
>>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>>> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>> retries exceeded with url: / (Caused by
>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>> last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line
>>>> 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n
>>>> File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>> return _run_module_code(code, init_globals, run_name, mod_spec)\n File
>>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>> mod_name, mod_spec, pkg_name, script_name)\n File
>>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>>>> run_globals)\n File
>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>> line 185, in <module>\n File
>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>> line 181, in main\n File
>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>>> line 407, in __call__\n File
>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>> line 141, in run\n File
>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>> 517, in search_services\n services = self.list_services()\n File
>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>>>> File
>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>>>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>>> line 32, in _identity_client\n 'identity', min_version=2,
>>>> max_version='3.latest')\n File
>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>>>> **kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>>>> **kwargs)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>> 271, in get_endpoint_data\n service_catalog =
>>>> self.get_access(session).service_catalog\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>> line 206, in get_auth_ref\n self._plugin =
>>>> self._do_create_plugin(session)\n File
>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>> line 161, in _do_create_plugin\n 'auth_url is correct. %s' %
>>>> e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
>>>> versioned identity endpoints when attempting to authenticate. Please check
>>>> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>> retries exceeded with url: / (Caused by
>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>> match 'overcloud.example.com'\",),))\n", "module_stdout": "", "msg":
>>>> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>> 2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>> 0:11:01.271914 | 2.47s
>>>> 2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>> 0:11:01.273659 | 2.47s
>>>>
>>>> PLAY RECAP
>>>> *********************************************************************
>>>> localhost : ok=0 changed=0 unreachable=0
>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>> overcloud-controller-0 : ok=437 changed=104 unreachable=0
>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>> overcloud-controller-1 : ok=436 changed=101 unreachable=0
>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>> overcloud-controller-2 : ok=431 changed=101 unreachable=0
>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>> overcloud-novacompute-0 : ok=345 changed=83 unreachable=0
>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>> undercloud : ok=28 changed=7 unreachable=0
>>>> failed=1 skipped=3 rescued=0 ignored=0
>>>> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary
>>>> Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total
>>>> Tasks: 1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>>
>>>> in the deploy.sh:
>>>>
>>>> openstack overcloud deploy --templates \
>>>> -r /home/stack/templates/roles_data.yaml \
>>>> --networks-file /home/stack/templates/custom_network_data.yaml \
>>>> --vip-file /home/stack/templates/custom_vip_data.yaml \
>>>> --baremetal-deployment
>>>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>> --network-config \
>>>> -e /home/stack/templates/environment.yaml \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>>> \
>>>> -e /home/stack/templates/ironic-config.yaml \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>>> \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>> -e
>>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>> -e /home/stack/containers-prepare-parameter.yaml
>>>>
>>>> Addition lines as highlighted in yellow were passed with modifications:
>>>> tls-endpoints-public-ip.yaml:
>>>> Passed as is in the defaults.
>>>> enable-tls.yaml:
>>>>
>>>> # *******************************************************************
>>>> # This file was created automatically by the sample environment
>>>> # generator. Developers should use `tox -e genconfig` to update it.
>>>> # Users are recommended to make changes to a copy of the file instead
>>>> # of the original, if any customizations are needed.
>>>> # *******************************************************************
>>>> # title: Enable SSL on OpenStack Public Endpoints
>>>> # description: |
>>>> # Use this environment to pass in certificates for SSL deployments.
>>>> # For these values to take effect, one of the tls-endpoints-*.yaml
>>>> # environments must also be used.
>>>> parameter_defaults:
>>>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
>>>> # Type: boolean
>>>> HorizonSecureCookies: True
>>>>
>>>> # Specifies the default CA cert to use if TLS is used for services in
>>>> the public network.
>>>> # Type: string
>>>> PublicTLSCAFile:
>>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>>
>>>> # The content of the SSL certificate (without Key) in PEM format.
>>>> # Type: string
>>>> SSLRootCertificate: |
>>>> -----BEGIN CERTIFICATE-----
>>>> ----*** CERTICATELINES TRIMMED **
>>>> -----END CERTIFICATE-----
>>>>
>>>> SSLCertificate: |
>>>> -----BEGIN CERTIFICATE-----
>>>> ----*** CERTICATELINES TRIMMED **
>>>> -----END CERTIFICATE-----
>>>> # The content of an SSL intermediate CA certificate in PEM format.
>>>> # Type: string
>>>> SSLIntermediateCertificate: ''
>>>>
>>>> # The content of the SSL Key in PEM format.
>>>> # Type: string
>>>> SSLKey: |
>>>> -----BEGIN PRIVATE KEY-----
>>>> ----*** CERTICATELINES TRIMMED **
>>>> -----END PRIVATE KEY-----
>>>>
>>>> # ******************************************************
>>>> # Static parameters - these are values that must be
>>>> # included in the environment but should not be changed.
>>>> # ******************************************************
>>>> # The filepath of the certificate as it will be stored in the
>>>> controller.
>>>> # Type: string
>>>> DeployedSSLCertificatePath:
>>>> /etc/pki/tls/private/overcloud_endpoint.pem
>>>>
>>>> # *********************
>>>> # End static parameters
>>>> # *********************
>>>>
>>>> inject-trust-anchor.yaml
>>>>
>>>> # *******************************************************************
>>>> # This file was created automatically by the sample environment
>>>> # generator. Developers should use `tox -e genconfig` to update it.
>>>> # Users are recommended to make changes to a copy of the file instead
>>>> # of the original, if any customizations are needed.
>>>> # *******************************************************************
>>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>>> # description: |
>>>> # When using an SSL certificate signed by a CA that is not in the
>>>> default
>>>> # list of CAs, this environment allows adding a custom CA certificate
>>>> to
>>>> # the overcloud nodes.
>>>> parameter_defaults:
>>>> # The content of a CA's SSL certificate file in PEM format. This is
>>>> evaluated on the client side.
>>>> # Mandatory. This parameter must be set by the user.
>>>> # Type: string
>>>> SSLRootCertificate: |
>>>> -----BEGIN CERTIFICATE-----
>>>> ----*** CERTICATELINES TRIMMED **
>>>> -----END CERTIFICATE-----
>>>>
>>>> resource_registry:
>>>> OS::TripleO::NodeTLSCAData:
>>>> ../../puppet/extraconfig/tls/ca-inject.yaml
>>>>
>>>>
>>>>
>>>>
>>>> The procedure to create such files was followed using:
>>>> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
>>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>>
>>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed IP-based
>>>> certificate, without DNS. *
>>>>
>>>> Any idea around this error would be of great help.
>>>>
>>>> --
>>>> skype: lokendrarathour
>>>>
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220709/bbe216af/attachment-0001.htm>
More information about the openstack-discuss
mailing list