[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Vikarna Tathe
vikarnatathe at gmail.com
Thu Jul 14 03:19:11 UTC 2022
Hi Lokendra,
The CN field is missing. Can you add that and generate the certificate
again.
CN=ipaddress
Also add dns.1=ipaddress under alt_names for precaution.
Vikarna
On Wed, 13 Jul, 2022, 23:02 Lokendra Rathour, <lokendrarathour at gmail.com>
wrote:
> HI Vikarna,
> Thanks for the inputs.
> I am note able to access any tabs in GUI.
> [image: image.png]
>
> to re-state, we are failing at the time of deployment at step4 :
>
>
> PLAY [External deployment step 4]
> **********************************************
> 2022-07-13 21:35:22.505148 | 525400ae-089b-870a-fab6-0000000000d7 |
> TASK | External deployment step 4
> 2022-07-13 21:35:22.534899 | 525400ae-089b-870a-fab6-0000000000d7 |
> OK | External deployment step 4 | undercloud -> localhost | result={
> "changed": false,
> "msg": "Use --start-at-task 'External deployment step 4' to resume
> from this task"
> }
> [WARNING]: ('undercloud -> localhost',
> '525400ae-089b-870a-fab6-0000000000d7')
> missing from stats
> 2022-07-13 21:35:22.591268 | 525400ae-089b-870a-fab6-0000000000d8 |
> TIMING | include_tasks | undercloud | 0:11:21.683453 | 0.04s
> 2022-07-13 21:35:22.605901 | f29c4b58-75a5-4993-97b8-3921a49d79d7 |
> INCLUDED |
> /home/stack/overcloud-deploy/overcloud/config-download/overcloud/external_deploy_steps_tasks_step4.yaml
> | undercloud
> 2022-07-13 21:35:22.627112 | 525400ae-089b-870a-fab6-000000007239 |
> TASK | Clean up legacy Cinder keystone catalog entries
> 2022-07-13 21:35:25.110635 | 525400ae-089b-870a-fab6-000000007239 |
> OK | Clean up legacy Cinder keystone catalog entries | undercloud |
> item={'service_name': 'cinderv2', 'service_type': 'volumev2'}
> 2022-07-13 21:35:25.112368 | 525400ae-089b-870a-fab6-000000007239 |
> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
> 0:11:24.204562 | 2.48s
> 2022-07-13 21:35:27.029270 | 525400ae-089b-870a-fab6-000000007239 |
> OK | Clean up legacy Cinder keystone catalog entries | undercloud |
> item={'service_name': 'cinderv3', 'service_type': 'volume'}
> 2022-07-13 21:35:27.030383 | 525400ae-089b-870a-fab6-000000007239 |
> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
> 0:11:26.122584 | 4.40s
> 2022-07-13 21:35:27.032091 | 525400ae-089b-870a-fab6-000000007239 |
> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
> 0:11:26.124296 | 4.40s
> 2022-07-13 21:35:27.047913 | 525400ae-089b-870a-fab6-00000000723c |
> TASK | Manage Keystone resources for OpenStack services
> 2022-07-13 21:35:27.077672 | 525400ae-089b-870a-fab6-00000000723c |
> TIMING | Manage Keystone resources for OpenStack services | undercloud |
> 0:11:26.169842 | 0.03s
> 2022-07-13 21:35:27.120270 | 525400ae-089b-870a-fab6-00000000726b |
> TASK | Gather variables for each operating system
> 2022-07-13 21:35:27.161225 | 525400ae-089b-870a-fab6-00000000726b |
> TIMING | tripleo_keystone_resources : Gather variables for each operating
> system | undercloud | 0:11:26.253383 | 0.04s
> 2022-07-13 21:35:27.177798 | 525400ae-089b-870a-fab6-00000000726c |
> TASK | Create Keystone Admin resources
> 2022-07-13 21:35:27.207430 | 525400ae-089b-870a-fab6-00000000726c |
> TIMING | tripleo_keystone_resources : Create Keystone Admin resources |
> undercloud | 0:11:26.299608 | 0.03s
> 2022-07-13 21:35:27.230985 | 46e05e2d-2e9c-467b-ac4f-c5f0bc7286b3 |
> INCLUDED |
> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/admin.yml |
> undercloud
> 2022-07-13 21:35:27.256076 | 525400ae-089b-870a-fab6-0000000072ad |
> TASK | Create default domain
> 2022-07-13 21:35:29.343399 | 525400ae-089b-870a-fab6-0000000072ad |
> OK | Create default domain | undercloud
> 2022-07-13 21:35:29.345172 | 525400ae-089b-870a-fab6-0000000072ad |
> TIMING | tripleo_keystone_resources : Create default domain | undercloud |
> 0:11:28.437360 | 2.09s
> 2022-07-13 21:35:29.361643 | 525400ae-089b-870a-fab6-0000000072ae |
> TASK | Create admin and service projects
> 2022-07-13 21:35:29.391295 | 525400ae-089b-870a-fab6-0000000072ae |
> TIMING | tripleo_keystone_resources : Create admin and service projects |
> undercloud | 0:11:28.483468 | 0.03s
> 2022-07-13 21:35:29.402539 | af7a4a76-4998-4679-ac6f-58acc0867554 |
> INCLUDED |
> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/projects.yml |
> undercloud
> 2022-07-13 21:35:29.428918 | 525400ae-089b-870a-fab6-000000007304 |
> TASK | Async creation of Keystone project
> 2022-07-13 21:35:30.144295 | 525400ae-089b-870a-fab6-000000007304 |
> CHANGED | Async creation of Keystone project | undercloud | item=admin
> 2022-07-13 21:35:30.145884 | 525400ae-089b-870a-fab6-000000007304 |
> TIMING | tripleo_keystone_resources : Async creation of Keystone project |
> undercloud | 0:11:29.238078 | 0.72s
> 2022-07-13 21:35:30.493458 | 525400ae-089b-870a-fab6-000000007304 |
> CHANGED | Async creation of Keystone project | undercloud | item=service
> 2022-07-13 21:35:30.494386 | 525400ae-089b-870a-fab6-000000007304 |
> TIMING | tripleo_keystone_resources : Async creation of Keystone project |
> undercloud | 0:11:29.586587 | 1.06s
> 2022-07-13 21:35:30.495729 | 525400ae-089b-870a-fab6-000000007304 |
> TIMING | tripleo_keystone_resources : Async creation of Keystone project |
> undercloud | 0:11:29.587916 | 1.07s
> 2022-07-13 21:35:30.511748 | 525400ae-089b-870a-fab6-000000007306 |
> TASK | Check Keystone project status
> 2022-07-13 21:35:30.908189 | 525400ae-089b-870a-fab6-000000007306 |
> WAITING | Check Keystone project status | undercloud | 30 retries left
> 2022-07-13 21:35:36.166541 | 525400ae-089b-870a-fab6-000000007306 |
> OK | Check Keystone project status | undercloud | item=admin
> 2022-07-13 21:35:36.168506 | 525400ae-089b-870a-fab6-000000007306 |
> TIMING | tripleo_keystone_resources : Check Keystone project status |
> undercloud | 0:11:35.260666 | 5.66s
> 2022-07-13 21:35:36.400914 | 525400ae-089b-870a-fab6-000000007306 |
> OK | Check Keystone project status | undercloud | item=service
> 2022-07-13 21:35:36.402534 | 525400ae-089b-870a-fab6-000000007306 |
> TIMING | tripleo_keystone_resources : Check Keystone project status |
> undercloud | 0:11:35.494729 | 5.89s
> 2022-07-13 21:35:36.406576 | 525400ae-089b-870a-fab6-000000007306 |
> TIMING | tripleo_keystone_resources : Check Keystone project status |
> undercloud | 0:11:35.498771 | 5.89s
> 2022-07-13 21:35:36.427719 | 525400ae-089b-870a-fab6-0000000072af |
> TASK | Create admin role
> 2022-07-13 21:35:38.632266 | 525400ae-089b-870a-fab6-0000000072af |
> OK | Create admin role | undercloud
> 2022-07-13 21:35:38.633754 | 525400ae-089b-870a-fab6-0000000072af |
> TIMING | tripleo_keystone_resources : Create admin role | undercloud |
> 0:11:37.725949 | 2.20s
> 2022-07-13 21:35:38.649721 | 525400ae-089b-870a-fab6-0000000072b0 |
> TASK | Create _member_ role
> 2022-07-13 21:35:38.689773 | 525400ae-089b-870a-fab6-0000000072b0 |
> SKIPPED | Create _member_ role | undercloud
> 2022-07-13 21:35:38.691172 | 525400ae-089b-870a-fab6-0000000072b0 |
> TIMING | tripleo_keystone_resources : Create _member_ role | undercloud |
> 0:11:37.783369 | 0.04s
> 2022-07-13 21:35:38.706920 | 525400ae-089b-870a-fab6-0000000072b1 |
> TASK | Create admin user
> 2022-07-13 21:35:42.051623 | 525400ae-089b-870a-fab6-0000000072b1 |
> CHANGED | Create admin user | undercloud
> 2022-07-13 21:35:42.053285 | 525400ae-089b-870a-fab6-0000000072b1 |
> TIMING | tripleo_keystone_resources : Create admin user | undercloud |
> 0:11:41.145472 | 3.34s
> 2022-07-13 21:35:42.069370 | 525400ae-089b-870a-fab6-0000000072b2 |
> TASK | Assign admin role to admin project for admin user
> 2022-07-13 21:35:45.194891 | 525400ae-089b-870a-fab6-0000000072b2 |
> OK | Assign admin role to admin project for admin user | undercloud
> 2022-07-13 21:35:45.196669 | 525400ae-089b-870a-fab6-0000000072b2 |
> TIMING | tripleo_keystone_resources : Assign admin role to admin project
> for admin user | undercloud | 0:11:44.288848 | 3.13s
> 2022-07-13 21:35:45.212674 | 525400ae-089b-870a-fab6-0000000072b3 |
> TASK | Assign _member_ role to admin project for admin user
> 2022-07-13 21:35:45.252884 | 525400ae-089b-870a-fab6-0000000072b3 |
> SKIPPED | Assign _member_ role to admin project for admin user | undercloud
> 2022-07-13 21:35:45.254283 | 525400ae-089b-870a-fab6-0000000072b3 |
> TIMING | tripleo_keystone_resources : Assign _member_ role to admin project
> for admin user | undercloud | 0:11:44.346479 | 0.04s
> 2022-07-13 21:35:45.270310 | 525400ae-089b-870a-fab6-0000000072b4 |
> TASK | Create identity service
> 2022-07-13 21:35:46.928715 | 525400ae-089b-870a-fab6-0000000072b4 |
> OK | Create identity service | undercloud
> 2022-07-13 21:35:46.930167 | 525400ae-089b-870a-fab6-0000000072b4 |
> TIMING | tripleo_keystone_resources : Create identity service | undercloud
> | 0:11:46.022362 | 1.66s
> 2022-07-13 21:35:46.946797 | 525400ae-089b-870a-fab6-0000000072b5 |
> TASK | Create identity public endpoint
> 2022-07-13 21:35:49.139298 | 525400ae-089b-870a-fab6-0000000072b5 |
> OK | Create identity public endpoint | undercloud
> 2022-07-13 21:35:49.141158 | 525400ae-089b-870a-fab6-0000000072b5 |
> TIMING | tripleo_keystone_resources : Create identity public endpoint |
> undercloud | 0:11:48.233349 | 2.19s
> 2022-07-13 21:35:49.157768 | 525400ae-089b-870a-fab6-0000000072b6 |
> TASK | Create identity internal endpoint
> 2022-07-13 21:35:51.566826 | 525400ae-089b-870a-fab6-0000000072b6 |
> FATAL | Create identity internal endpoint | undercloud | error={"changed":
> false, "extra_data": {"data": null, "details": "The request you have made
> requires authentication.", "response":
> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
> services: Client Error for url: https://[fd00:fd00:fd00:9900::81]:13000/v3/services,
> The request you have made requires authentication."}
> 2022-07-13 21:35:51.568473 | 525400ae-089b-870a-fab6-0000000072b6 |
> TIMING | tripleo_keystone_resources : Create identity internal endpoint |
> undercloud | 0:11:50.660654 | 2.41s
>
> PLAY RECAP
> *********************************************************************
> localhost : ok=1 changed=0 unreachable=0
> failed=0 skipped=2 rescued=0 ignored=0
> overcloud-controller-0 : ok=437 changed=103 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-controller-1 : ok=435 changed=101 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-controller-2 : ok=432 changed=101 unreachable=0
> failed=0 skipped=214 rescued=0 ignored=0
> overcloud-novacompute-0 : ok=345 changed=82 unreachable=0
> failed=0 skipped=198 rescued=0 ignored=0
> undercloud : ok=39 changed=7 unreachable=0
> failed=1 skipped=6 rescued=0 ignored=0
>
> Also :
> (undercloud) [stack at undercloud oc-cert]$ cat server.csr.cnf
> [req]
> default_bits = 2048
> prompt = no
> default_md = sha256
> distinguished_name = dn
> [dn]
> C=IN
> ST=UTTAR PRADESH
> L=NOIDA
> O=HSC
> OU=HSC
> emailAddress=demo at demo.com
>
> v3.ext:
> (undercloud) [stack at undercloud oc-cert]$ cat v3.ext
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
> dataEncipherment
> subjectAltName = @alt_names
> [alt_names]
> IP.1=fd00:fd00:fd00:9900::81
>
> Using these files we create other certificates.
> Please check and let me know in case we need anything else.
>
>
> On Wed, Jul 13, 2022 at 10:00 PM Vikarna Tathe <vikarnatathe at gmail.com>
> wrote:
>
>> Hi Lokendra,
>>
>> Are you able to access all the tabs in the OpenStack dashboard without
>> any error? If not, please retry generating the certificate. Also, share the
>> openssl.cnf or server.cnf.
>>
>> On Wed, 13 Jul 2022 at 18:18, Lokendra Rathour <lokendrarathour at gmail.com>
>> wrote:
>>
>>> Hi Team,
>>> Any input on this case raised.
>>>
>>> Thanks,
>>> Lokendra
>>>
>>>
>>> On Tue, Jul 12, 2022 at 10:18 PM Lokendra Rathour <
>>> lokendrarathour at gmail.com> wrote:
>>>
>>>> Hi Shephard/Swogat,
>>>> I tried changing the setting as suggested and it looks like it has
>>>> failed at step 4 with error:
>>>>
>>>> :31:32.169420 | 525400ae-089b-fb79-67ac-0000000072ce | TIMING |
>>>> tripleo_keystone_resources : Create identity public endpoint | undercloud |
>>>> 0:24:47.736198 | 2.21s
>>>> 2022-07-12 21:31:32.185594 | 525400ae-089b-fb79-67ac-0000000072cf |
>>>> TASK | Create identity internal endpoint
>>>> 2022-07-12 21:31:34.468996 | 525400ae-089b-fb79-67ac-0000000072cf |
>>>> FATAL | Create identity internal endpoint | undercloud | error={"changed":
>>>> false, "extra_data": {"data": null, "details": "The request you have made
>>>> requires authentication.", "response":
>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>> services: Client Error for url: https://[fd00:fd00:fd00:9900::81]:13000/v3/services,
>>>> The request you have made requires authentication."}
>>>> 2022-07-12 21:31:34.470415 | 525400ae-089b-fb79-67ac-000000
>>>>
>>>>
>>>> Checking further the endpoint list:
>>>> I see only one endpoint for keystone is gettin created.
>>>>
>>>> DeprecationWarning
>>>>
>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>> | ID | Region | Service Name | Service
>>>> Type | Enabled | Interface | URL |
>>>>
>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>> | 4378dc0a4d8847ee87771699fc7b995e | regionOne | keystone |
>>>> identity | True | admin | http://30.30.30.173:35357
>>>> |
>>>> | 67c829e126944431a06ed0c2b97a295f | regionOne | keystone |
>>>> identity | True | internal | http://[fd00:fd00:fd00:2000::326]:5000
>>>> |
>>>> | 8a9a3de4993c4ff7903caf95b8ae40fa | regionOne | keystone |
>>>> identity | True | public | https://[fd00:fd00:fd00:9900::81]:13000
>>>> |
>>>>
>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>
>>>>
>>>> it looks like something related to the SSL, we have also verified that
>>>> the GUI login screen shows that Certificates are applied.
>>>> exploring more in logs, meanwhile any suggestions or know observation
>>>> would be of great help.
>>>> thanks again for the support.
>>>>
>>>> Best Regards,
>>>> Lokendra
>>>>
>>>>
>>>> On Sat, Jul 9, 2022 at 11:24 AM Swogat Pradhan <
>>>> swogatpradhan22 at gmail.com> wrote:
>>>>
>>>>> I had faced a similar kind of issue, for ip based setup you need to
>>>>> specify the domain name as the ip that you are going to use, this error is
>>>>> showing up because the ssl is ip based but the fqdns seems to be
>>>>> undercloud.com or overcloud.example.com.
>>>>> I think for undercloud you can change the undercloud.conf.
>>>>>
>>>>> And will it work if we specify clouddomain parameter to the IP address
>>>>> for overcloud? because it seems he has not specified the clouddomain
>>>>> parameter and overcloud.example.com is the default domain for
>>>>> overcloud.example.com.
>>>>>
>>>>> On Fri, 8 Jul 2022, 6:01 pm Swogat Pradhan, <swogatpradhan22 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> What is the domain name you have specified in the undercloud.conf
>>>>>> file?
>>>>>> And what is the fqdn name used for the generation of the SSL cert?
>>>>>>
>>>>>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <
>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Team,
>>>>>>> We were trying to install overcloud with SSL enabled for which the
>>>>>>> UC is installed, but OC install is getting failed at step 4:
>>>>>>>
>>>>>>> ERROR
>>>>>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>> retries exceeded with url: / (Caused by
>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>> match 'undercloud.com'\",),))\n", "module_stdout": "", "msg":
>>>>>>> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>> 2022-07-08 17:03:23.606739 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>>>>> FATAL | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>>> item={'service_name': 'cinderv3', 'service_type': 'volume'} |
>>>>>>> error={"ansible_index_var": "cinder_api_service", "ansible_loop_var":
>>>>>>> "item", "changed": false, "cinder_api_service": 1, "item": {"service_name":
>>>>>>> "cinderv3", "service_type": "volume"}, "module_stderr": "Failed to discover
>>>>>>> available identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
>>>>>>> Attempting to parse version from URL.\nTraceback (most recent call last):\n
>>>>>>> File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
>>>>>>> 600, in urlopen\n chunked=chunked)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>>>>>> in _make_request\n self._validate_conn(conn)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>>>>>> in _validate_conn\n conn.connect()\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>>>>>> connect\n _match_hostname(cert, self.assert_hostname or
>>>>>>> server_hostname)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>>>>>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>>>>>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>>>>>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>>>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>>>>>> handling of the above exception, another exception occurred:\n\nTraceback
>>>>>>> (most recent call last):\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>>>>>> send\n timeout=timeout\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>>>>>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>>>>>> increment\n raise MaxRetryError(_pool, url, error or
>>>>>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>> retries exceeded with url: / (Caused by
>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>> last):\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>>>>>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>>>>>>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>>>>>> in request\n resp = self.send(prep, **send_kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>>>>>> send\n r = adapter.send(request, **kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>>>>>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>> retries exceeded with url: / (Caused by
>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>> last):\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>> line 138, in _do_create_plugin\n authenticated=False)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>> 610, in get_discovery\n authenticated=authenticated)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>>>>>> in get_discovery\n disc = Discover(session, url,
>>>>>>> authenticated=authenticated)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>>>>>> in __init__\n authenticated=authenticated)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>>>>>> in get_version_data\n resp = session.get(url, headers=headers,
>>>>>>> authenticated=authenticated)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>>>>>> in get\n return self.request(url, 'GET', **kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>>>>>> request\n resp = send(**kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>>>>>> in _send_request\n raise
>>>>>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>>>>>> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>> retries exceeded with url: / (Caused by
>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>> last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line
>>>>>>> 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n
>>>>>>> File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>>>>> return _run_module_code(code, init_globals, run_name, mod_spec)\n File
>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>>>>> mod_name, mod_spec, pkg_name, script_name)\n File
>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>>>>>>> run_globals)\n File
>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>> line 185, in <module>\n File
>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>> line 181, in main\n File
>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>>>>>> line 407, in __call__\n File
>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>> line 141, in run\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>> 517, in search_services\n services = self.list_services()\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>>>>>>> File
>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>>>>>>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>>>>>> line 32, in _identity_client\n 'identity', min_version=2,
>>>>>>> max_version='3.latest')\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>>>>>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>>>>>>> **kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>>>>>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>>>>>>> **kwargs)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>> 271, in get_endpoint_data\n service_catalog =
>>>>>>> self.get_access(session).service_catalog\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>> line 206, in get_auth_ref\n self._plugin =
>>>>>>> self._do_create_plugin(session)\n File
>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>> line 161, in _do_create_plugin\n 'auth_url is correct. %s' %
>>>>>>> e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
>>>>>>> versioned identity endpoints when attempting to authenticate. Please check
>>>>>>> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>> retries exceeded with url: / (Caused by
>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>> match 'overcloud.example.com'\",),))\n", "module_stdout": "",
>>>>>>> "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>> 2022-07-08 17:03:23.609354 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>>> 0:11:01.271914 | 2.47s
>>>>>>> 2022-07-08 17:03:23.611094 | 5254009a-6a3c-adb1-f96f-0000000072ac |
>>>>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>>> 0:11:01.273659 | 2.47s
>>>>>>>
>>>>>>> PLAY RECAP
>>>>>>> *********************************************************************
>>>>>>> localhost : ok=0 changed=0 unreachable=0
>>>>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>>>>> overcloud-controller-0 : ok=437 changed=104 unreachable=0
>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>> overcloud-controller-1 : ok=436 changed=101 unreachable=0
>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>> overcloud-controller-2 : ok=431 changed=101 unreachable=0
>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>> overcloud-novacompute-0 : ok=345 changed=83 unreachable=0
>>>>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>>>>> undercloud : ok=28 changed=7 unreachable=0
>>>>>>> failed=1 skipped=3 rescued=0 ignored=0
>>>>>>> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>> Summary Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total
>>>>>>> Tasks: 1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>
>>>>>>>
>>>>>>> in the deploy.sh:
>>>>>>>
>>>>>>> openstack overcloud deploy --templates \
>>>>>>> -r /home/stack/templates/roles_data.yaml \
>>>>>>> --networks-file /home/stack/templates/custom_network_data.yaml \
>>>>>>> --vip-file /home/stack/templates/custom_vip_data.yaml \
>>>>>>> --baremetal-deployment
>>>>>>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>>>>> --network-config \
>>>>>>> -e /home/stack/templates/environment.yaml \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>>>>>> \
>>>>>>> -e /home/stack/templates/ironic-config.yaml \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>>>>>> \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>>>>> -e
>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>>>>> -e /home/stack/containers-prepare-parameter.yaml
>>>>>>>
>>>>>>> Addition lines as highlighted in yellow were passed with
>>>>>>> modifications:
>>>>>>> tls-endpoints-public-ip.yaml:
>>>>>>> Passed as is in the defaults.
>>>>>>> enable-tls.yaml:
>>>>>>>
>>>>>>> # *******************************************************************
>>>>>>> # This file was created automatically by the sample environment
>>>>>>> # generator. Developers should use `tox -e genconfig` to update it.
>>>>>>> # Users are recommended to make changes to a copy of the file instead
>>>>>>> # of the original, if any customizations are needed.
>>>>>>> # *******************************************************************
>>>>>>> # title: Enable SSL on OpenStack Public Endpoints
>>>>>>> # description: |
>>>>>>> # Use this environment to pass in certificates for SSL deployments.
>>>>>>> # For these values to take effect, one of the tls-endpoints-*.yaml
>>>>>>> # environments must also be used.
>>>>>>> parameter_defaults:
>>>>>>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
>>>>>>> # Type: boolean
>>>>>>> HorizonSecureCookies: True
>>>>>>>
>>>>>>> # Specifies the default CA cert to use if TLS is used for services
>>>>>>> in the public network.
>>>>>>> # Type: string
>>>>>>> PublicTLSCAFile:
>>>>>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>>>>>
>>>>>>> # The content of the SSL certificate (without Key) in PEM format.
>>>>>>> # Type: string
>>>>>>> SSLRootCertificate: |
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>> -----END CERTIFICATE-----
>>>>>>>
>>>>>>> SSLCertificate: |
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>> -----END CERTIFICATE-----
>>>>>>> # The content of an SSL intermediate CA certificate in PEM format.
>>>>>>> # Type: string
>>>>>>> SSLIntermediateCertificate: ''
>>>>>>>
>>>>>>> # The content of the SSL Key in PEM format.
>>>>>>> # Type: string
>>>>>>> SSLKey: |
>>>>>>> -----BEGIN PRIVATE KEY-----
>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>> -----END PRIVATE KEY-----
>>>>>>>
>>>>>>> # ******************************************************
>>>>>>> # Static parameters - these are values that must be
>>>>>>> # included in the environment but should not be changed.
>>>>>>> # ******************************************************
>>>>>>> # The filepath of the certificate as it will be stored in the
>>>>>>> controller.
>>>>>>> # Type: string
>>>>>>> DeployedSSLCertificatePath:
>>>>>>> /etc/pki/tls/private/overcloud_endpoint.pem
>>>>>>>
>>>>>>> # *********************
>>>>>>> # End static parameters
>>>>>>> # *********************
>>>>>>>
>>>>>>> inject-trust-anchor.yaml
>>>>>>>
>>>>>>> # *******************************************************************
>>>>>>> # This file was created automatically by the sample environment
>>>>>>> # generator. Developers should use `tox -e genconfig` to update it.
>>>>>>> # Users are recommended to make changes to a copy of the file instead
>>>>>>> # of the original, if any customizations are needed.
>>>>>>> # *******************************************************************
>>>>>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>>>>>> # description: |
>>>>>>> # When using an SSL certificate signed by a CA that is not in the
>>>>>>> default
>>>>>>> # list of CAs, this environment allows adding a custom CA
>>>>>>> certificate to
>>>>>>> # the overcloud nodes.
>>>>>>> parameter_defaults:
>>>>>>> # The content of a CA's SSL certificate file in PEM format. This
>>>>>>> is evaluated on the client side.
>>>>>>> # Mandatory. This parameter must be set by the user.
>>>>>>> # Type: string
>>>>>>> SSLRootCertificate: |
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>> -----END CERTIFICATE-----
>>>>>>>
>>>>>>> resource_registry:
>>>>>>> OS::TripleO::NodeTLSCAData:
>>>>>>> ../../puppet/extraconfig/tls/ca-inject.yaml
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The procedure to create such files was followed using:
>>>>>>> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
>>>>>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>>>>>
>>>>>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed
>>>>>>> IP-based certificate, without DNS. *
>>>>>>>
>>>>>>> Any idea around this error would be of great help.
>>>>>>>
>>>>>>> --
>>>>>>> skype: lokendrarathour
>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>>
>>
>
> --
> ~ Lokendra
> skype: lokendrarathour
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220714/4b7b32a7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 81010 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220714/4b7b32a7/attachment-0001.png>
More information about the openstack-discuss
mailing list
