[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Lokendra Rathour
lokendrarathour at gmail.com
Wed Jul 20 09:01:50 UTC 2022
Hi Brendan / Team,
Any lead for the issue raised?
-Lokendra
On Tue, Jul 19, 2022 at 11:46 AM Lokendra Rathour <lokendrarathour at gmail.com>
wrote:
> Hi Brendan,,
> Thanks for the inputs.
> when i run the command as you suggested I get this:
>
> (undercloud) [stack at undercloud ~]$ OS_CLOUD=overcloud openstack endpoint
> list
>
> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
> | ID | Region | Service Name | Service
> Type | Enabled | Interface | URL |
>
> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
> | 1bfe43c9cf174bd8a01a3a681538766a | regionOne | keystone | identity
> | True | internal | http://[fd00:fd00:fd00:2000::326]:5000 |
> | 707e92fc11df4a74bceb5e48f2561357 | regionOne | keystone | identity
> | True | admin | http://30.30.30.173:35357 |
> | fab4e66170c8402f899c5f43fd4c39fe | regionOne | keystone | identity
> | True | public | https://overcloud-hsc.com:13000 |
>
> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
> (undercloud) [stack at undercloud ~]$
>
>
> On the other note that i notices was as below:
>
> - HAproxy container is not running.
> - [root at overcloud-controller-2 stdouts]# podman ps -a | grep haproxy
> e91dbde042db
> undercloud.ctlplane.localdomain:8787/tripleowallaby/openstack-haproxy:current-tripleo
> 24 hours ago Exited (1) Less than a
> second ago container-puppet-haproxy\
> - Checking logs:
> - 2022-07-19T08:47:00.496212294+05:30 stderr F + ARGS=
> 2022-07-19T08:47:00.496300242+05:30 stderr F + [[ ! -n '' ]]
> 2022-07-19T08:47:00.496323705+05:30 stderr F + . kolla_extend_start
> 2022-07-19T08:47:00.496578173+05:30 stderr F + echo 'Running
> command: '\''bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper
> ]; then exec /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg;
> else exec /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'\'''
> 2022-07-19T08:47:00.496605469+05:30 stdout F Running command: 'bash
> -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then exec
> /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg; else exec
> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'
> 2022-07-19T08:47:00.496895618+05:30 stderr F + exec bash -c '$*' --
> eval if '[' -f /usr/sbin/haproxy-systemd-wrapper '];' then exec
> /usr/sbin/haproxy-systemd-wrapper -f '/etc/haproxy/haproxy.cfg;' else exec
> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg '-Ws;' fi
> 2022-07-19T08:47:00.513182490+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:28] : 'bind
> fd00:fd00:fd00:9900::81:13776' :
> 2022-07-19T08:47:00.513182490+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.513182490+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> automatically2022-07-19T08:47:00.513967576+05:30 stderr F [WARNING]
> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:45] : 'bind
> fd00:fd00:fd00:9900::81:13292' :
> 2022-07-19T08:47:00.513967576+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.513967576+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.514736662+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind
> fd00:fd00:fd00:9900::81:13004' :
> 2022-07-19T08:47:00.514736662+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.514736662+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.515461787+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:89] : 'bind
> fd00:fd00:fd00:9900::81:13005' :
> 2022-07-19T08:47:00.515461787+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.515461787+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.516167406+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:108] : 'bind
> fd00:fd00:fd00:2000::326:443' :
> - 2022-07-19T08:47:00.517937930+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.518534123+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:172] : 'bind
> fd00:fd00:fd00:9900::81:13000' :
> 2022-07-19T08:47:00.518534123+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.518534123+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.519127743+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:201] : 'bind
> fd00:fd00:fd00:9900::81:13696' :
> 2022-07-19T08:47:00.519127743+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.519127743+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.519734281+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:233] : 'bind
> fd00:fd00:fd00:9900::81:13080' :
> 2022-07-19T08:47:00.519734281+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.519734281+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.520285158+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:250] : 'bind
> fd00:fd00:fd00:9900::81:13774' :
> 2022-07-19T08:47:00.520285158+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.520285158+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.520830405+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:266] : 'bind
> fd00:fd00:fd00:9900::81:13778' :
> 2022-07-19T08:47:00.520830405+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.520830405+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.521517271+05:30 stderr F [WARNING] 199/084700
> (7) : parsing [/etc/haproxy/haproxy.cfg:281] : 'bind
> fd00:fd00:fd00:9900::81:13808' :
> 2022-07-19T08:47:00.521517271+05:30 stderr F unable to load
> default 1024 bits DH parameter for certificate
> '/etc/pki/tls/private/overcloud_endpoint.pem'.
> 2022-07-19T08:47:00.521517271+05:30 stderr F , SSL library will
> use an automatically generated DH parameter.
> 2022-07-19T08:47:00.524065508+05:30 stderr F [WARNING] 199/084700
> (7) : Setting tune.ssl.default-dh-param to 1024 by default, if your
> workload permits it you should set it to at least 2048. Please set a value
> >= 1024 to make this warning disappear.
> - pcs status also show that proxy is down for the controller with
> VIP:
> - Failed Resource Actions:
> * haproxy-bundle-podman-2_start_0 on overcloud-controller-2
> 'error' (1): call=139, status='complete', exitreason='podman failed to
> launch container (rc: 1)', last-rc-change='Mon Jul 18 15:14:34 2022',
> queued=0ms, exec=1222ms
> * haproxy-bundle-podman-1_start_0 on overcloud-controller-1
> 'error' (1): call=191, status='complete', exitreason='podman failed to
> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:17 2022',
> queued=0ms, exec=1171ms
> * haproxy-bundle-podman-2_start_0 on overcloud-controller-1
> 'error' (1): call=193, status='complete', exitreason='podman failed to
> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:20 2022',
> queued=0ms, exec=1256ms
>
> do let me know in case we need anything more around it.
> thanks once again for the support.
> -Lokendra
>
> On Tue, Jul 19, 2022 at 11:07 AM Brendan Shephard <bshephar at redhat.com>
> wrote:
>
>> Hey,
>>
>> Doesn't look like there is anything wrong with the certificate there. You
>> would be getting a TLS error if that was the problem.
>>
>> What does your clouds.yaml file look like now? What happens if you run
>> this command from the Undercloud node:
>> $ OS_CLOUD=overcloud openstack endpoint list
>>
>> Do you get the same error?
>>
>> Brendan Shephard
>>
>> Software Engineer
>>
>> Red Hat APAC <https://www.redhat.com>
>>
>> 193 N Quay
>>
>> Brisbane City QLD 4000
>> @RedHat <https://twitter.com/redhat> Red Hat
>> <https://www.linkedin.com/company/red-hat> Red Hat
>> <https://www.facebook.com/RedHatInc>
>> <https://red.ht/sig>
>> <https://redhat.com/summit>
>>
>>
>> On Tue, Jul 19, 2022 at 1:28 PM Lokendra Rathour <
>> lokendrarathour at gmail.com> wrote:
>>
>>> Hi Swogat and Vikarna,
>>> We have tried adding the DNS entry for the overcloud domain. we are
>>> getting the same error:
>>>
>>> 022-07-19 00:09:41.491498 | 525400ae-089b-c832-8e34-00000000704f |
>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>> undercloud | 0:11:18.785769 | 2.16s
>>> 2022-07-19 00:09:41.507319 | 525400ae-089b-c832-8e34-000000007050 |
>>> TASK | Create identity internal endpoint
>>> 2022-07-19 00:09:43.778910 | 525400ae-089b-c832-8e34-000000007050 |
>>> FATAL | Create identity internal endpoint | undercloud |
>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>> request you have made requires authentication.", "response":
>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>> services: Client Error for url:
>>> https://overcloud-hsc.com:13000/v3/services, The request you have made
>>> requires authentication."}
>>> 2022-07-19 00:09:43.780306 | 525400ae-089b-c832-8e34-000000007050 |
>>> TIMING | tripleo_keystone_resources : Create identity internal endpoint |
>>> undercloud | 0:11:21.074605 | 2.
>>>
>>>
>>> Certificate configs:
>>>
>>> [stack at undercloud oc-domain-name]$ cat server.csr.cnf
>>> [req]
>>> default_bits = 2048
>>> prompt = no
>>> default_md = sha256
>>> distinguished_name = dn
>>> [dn]
>>> C=IN
>>> ST=UTTAR PRADESH
>>> L=NOIDA
>>> O=HSC
>>> OU=HSC
>>> emailAddress=demo at demo.com
>>> CN=overcloud-hsc.com
>>> [stack at undercloud oc-domain-name]$ cat v3.ext
>>> authorityKeyIdentifier=keyid,issuer
>>> basicConstraints=CA:FALSE
>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>> dataEncipherment
>>> subjectAltName = @alt_names
>>> [alt_names]
>>> DNS.1=overcloud-hsc.com
>>> [stack at undercloud oc-domain-name]$
>>>
>>> the difference we see from others is that we are using self-signed
>>> certificates.
>>>
>>> please let me know in case we need to check something else. Somehow this
>>> issue remains stuck.
>>>
>>>
>>> On Fri, Jul 15, 2022 at 2:17 AM Swogat Pradhan <
>>> swogatpradhan22 at gmail.com> wrote:
>>>
>>>> I was facing a similar kind of issue.
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2089442
>>>> Here is the solution that helped me fix it.
>>>> Also make sure the cn that you will use is reachable from undercloud
>>>> (maybe) script should take care of it.
>>>>
>>>> Also please follow Mr. Tathe's mail to add the cn first.
>>>>
>>>> With regards
>>>> Swogat Pradhan
>>>>
>>>> On Thu, Jul 14, 2022 at 8:49 AM Vikarna Tathe <vikarnatathe at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Lokendra,
>>>>>
>>>>> The CN field is missing. Can you add that and generate the certificate
>>>>> again.
>>>>>
>>>>> CN=ipaddress
>>>>>
>>>>> Also add dns.1=ipaddress under alt_names for precaution.
>>>>>
>>>>> Vikarna
>>>>>
>>>>> On Wed, 13 Jul, 2022, 23:02 Lokendra Rathour, <
>>>>> lokendrarathour at gmail.com> wrote:
>>>>>
>>>>>> HI Vikarna,
>>>>>> Thanks for the inputs.
>>>>>> I am note able to access any tabs in GUI.
>>>>>> [image: image.png]
>>>>>>
>>>>>> to re-state, we are failing at the time of deployment at step4 :
>>>>>>
>>>>>>
>>>>>> PLAY [External deployment step 4]
>>>>>> **********************************************
>>>>>> 2022-07-13 21:35:22.505148 | 525400ae-089b-870a-fab6-0000000000d7 |
>>>>>> TASK | External deployment step 4
>>>>>> 2022-07-13 21:35:22.534899 | 525400ae-089b-870a-fab6-0000000000d7 |
>>>>>> OK | External deployment step 4 | undercloud -> localhost | result={
>>>>>> "changed": false,
>>>>>> "msg": "Use --start-at-task 'External deployment step 4' to
>>>>>> resume from this task"
>>>>>> }
>>>>>> [WARNING]: ('undercloud -> localhost',
>>>>>> '525400ae-089b-870a-fab6-0000000000d7')
>>>>>> missing from stats
>>>>>> 2022-07-13 21:35:22.591268 | 525400ae-089b-870a-fab6-0000000000d8 |
>>>>>> TIMING | include_tasks | undercloud | 0:11:21.683453 | 0.04s
>>>>>> 2022-07-13 21:35:22.605901 | f29c4b58-75a5-4993-97b8-3921a49d79d7 |
>>>>>> INCLUDED |
>>>>>> /home/stack/overcloud-deploy/overcloud/config-download/overcloud/external_deploy_steps_tasks_step4.yaml
>>>>>> | undercloud
>>>>>> 2022-07-13 21:35:22.627112 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> TASK | Clean up legacy Cinder keystone catalog entries
>>>>>> 2022-07-13 21:35:25.110635 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> OK | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>> item={'service_name': 'cinderv2', 'service_type': 'volumev2'}
>>>>>> 2022-07-13 21:35:25.112368 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>> 0:11:24.204562 | 2.48s
>>>>>> 2022-07-13 21:35:27.029270 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> OK | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>> item={'service_name': 'cinderv3', 'service_type': 'volume'}
>>>>>> 2022-07-13 21:35:27.030383 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>> 0:11:26.122584 | 4.40s
>>>>>> 2022-07-13 21:35:27.032091 | 525400ae-089b-870a-fab6-000000007239 |
>>>>>> TIMING | Clean up legacy Cinder keystone catalog entries | undercloud |
>>>>>> 0:11:26.124296 | 4.40s
>>>>>> 2022-07-13 21:35:27.047913 | 525400ae-089b-870a-fab6-00000000723c |
>>>>>> TASK | Manage Keystone resources for OpenStack services
>>>>>> 2022-07-13 21:35:27.077672 | 525400ae-089b-870a-fab6-00000000723c |
>>>>>> TIMING | Manage Keystone resources for OpenStack services | undercloud |
>>>>>> 0:11:26.169842 | 0.03s
>>>>>> 2022-07-13 21:35:27.120270 | 525400ae-089b-870a-fab6-00000000726b |
>>>>>> TASK | Gather variables for each operating system
>>>>>> 2022-07-13 21:35:27.161225 | 525400ae-089b-870a-fab6-00000000726b |
>>>>>> TIMING | tripleo_keystone_resources : Gather variables for each operating
>>>>>> system | undercloud | 0:11:26.253383 | 0.04s
>>>>>> 2022-07-13 21:35:27.177798 | 525400ae-089b-870a-fab6-00000000726c |
>>>>>> TASK | Create Keystone Admin resources
>>>>>> 2022-07-13 21:35:27.207430 | 525400ae-089b-870a-fab6-00000000726c |
>>>>>> TIMING | tripleo_keystone_resources : Create Keystone Admin resources |
>>>>>> undercloud | 0:11:26.299608 | 0.03s
>>>>>> 2022-07-13 21:35:27.230985 | 46e05e2d-2e9c-467b-ac4f-c5f0bc7286b3 |
>>>>>> INCLUDED |
>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/admin.yml |
>>>>>> undercloud
>>>>>> 2022-07-13 21:35:27.256076 | 525400ae-089b-870a-fab6-0000000072ad |
>>>>>> TASK | Create default domain
>>>>>> 2022-07-13 21:35:29.343399 | 525400ae-089b-870a-fab6-0000000072ad |
>>>>>> OK | Create default domain | undercloud
>>>>>> 2022-07-13 21:35:29.345172 | 525400ae-089b-870a-fab6-0000000072ad |
>>>>>> TIMING | tripleo_keystone_resources : Create default domain | undercloud
>>>>>> | 0:11:28.437360 | 2.09s
>>>>>> 2022-07-13 21:35:29.361643 | 525400ae-089b-870a-fab6-0000000072ae |
>>>>>> TASK | Create admin and service projects
>>>>>> 2022-07-13 21:35:29.391295 | 525400ae-089b-870a-fab6-0000000072ae |
>>>>>> TIMING | tripleo_keystone_resources : Create admin and service projects |
>>>>>> undercloud | 0:11:28.483468 | 0.03s
>>>>>> 2022-07-13 21:35:29.402539 | af7a4a76-4998-4679-ac6f-58acc0867554 |
>>>>>> INCLUDED |
>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/projects.yml |
>>>>>> undercloud
>>>>>> 2022-07-13 21:35:29.428918 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> TASK | Async creation of Keystone project
>>>>>> 2022-07-13 21:35:30.144295 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> CHANGED | Async creation of Keystone project | undercloud | item=admin
>>>>>> 2022-07-13 21:35:30.145884 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> TIMING | tripleo_keystone_resources : Async creation of Keystone project
>>>>>> | undercloud | 0:11:29.238078 | 0.72s
>>>>>> 2022-07-13 21:35:30.493458 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> CHANGED | Async creation of Keystone project | undercloud | item=service
>>>>>> 2022-07-13 21:35:30.494386 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> TIMING | tripleo_keystone_resources : Async creation of Keystone project
>>>>>> | undercloud | 0:11:29.586587 | 1.06s
>>>>>> 2022-07-13 21:35:30.495729 | 525400ae-089b-870a-fab6-000000007304 |
>>>>>> TIMING | tripleo_keystone_resources : Async creation of Keystone project
>>>>>> | undercloud | 0:11:29.587916 | 1.07s
>>>>>> 2022-07-13 21:35:30.511748 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> TASK | Check Keystone project status
>>>>>> 2022-07-13 21:35:30.908189 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> WAITING | Check Keystone project status | undercloud | 30 retries left
>>>>>> 2022-07-13 21:35:36.166541 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> OK | Check Keystone project status | undercloud | item=admin
>>>>>> 2022-07-13 21:35:36.168506 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>> undercloud | 0:11:35.260666 | 5.66s
>>>>>> 2022-07-13 21:35:36.400914 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> OK | Check Keystone project status | undercloud | item=service
>>>>>> 2022-07-13 21:35:36.402534 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>> undercloud | 0:11:35.494729 | 5.89s
>>>>>> 2022-07-13 21:35:36.406576 | 525400ae-089b-870a-fab6-000000007306 |
>>>>>> TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>> undercloud | 0:11:35.498771 | 5.89s
>>>>>> 2022-07-13 21:35:36.427719 | 525400ae-089b-870a-fab6-0000000072af |
>>>>>> TASK | Create admin role
>>>>>> 2022-07-13 21:35:38.632266 | 525400ae-089b-870a-fab6-0000000072af |
>>>>>> OK | Create admin role | undercloud
>>>>>> 2022-07-13 21:35:38.633754 | 525400ae-089b-870a-fab6-0000000072af |
>>>>>> TIMING | tripleo_keystone_resources : Create admin role | undercloud |
>>>>>> 0:11:37.725949 | 2.20s
>>>>>> 2022-07-13 21:35:38.649721 | 525400ae-089b-870a-fab6-0000000072b0 |
>>>>>> TASK | Create _member_ role
>>>>>> 2022-07-13 21:35:38.689773 | 525400ae-089b-870a-fab6-0000000072b0 |
>>>>>> SKIPPED | Create _member_ role | undercloud
>>>>>> 2022-07-13 21:35:38.691172 | 525400ae-089b-870a-fab6-0000000072b0 |
>>>>>> TIMING | tripleo_keystone_resources : Create _member_ role | undercloud |
>>>>>> 0:11:37.783369 | 0.04s
>>>>>> 2022-07-13 21:35:38.706920 | 525400ae-089b-870a-fab6-0000000072b1 |
>>>>>> TASK | Create admin user
>>>>>> 2022-07-13 21:35:42.051623 | 525400ae-089b-870a-fab6-0000000072b1 |
>>>>>> CHANGED | Create admin user | undercloud
>>>>>> 2022-07-13 21:35:42.053285 | 525400ae-089b-870a-fab6-0000000072b1 |
>>>>>> TIMING | tripleo_keystone_resources : Create admin user | undercloud |
>>>>>> 0:11:41.145472 | 3.34s
>>>>>> 2022-07-13 21:35:42.069370 | 525400ae-089b-870a-fab6-0000000072b2 |
>>>>>> TASK | Assign admin role to admin project for admin user
>>>>>> 2022-07-13 21:35:45.194891 | 525400ae-089b-870a-fab6-0000000072b2 |
>>>>>> OK | Assign admin role to admin project for admin user | undercloud
>>>>>> 2022-07-13 21:35:45.196669 | 525400ae-089b-870a-fab6-0000000072b2 |
>>>>>> TIMING | tripleo_keystone_resources : Assign admin role to admin project
>>>>>> for admin user | undercloud | 0:11:44.288848 | 3.13s
>>>>>> 2022-07-13 21:35:45.212674 | 525400ae-089b-870a-fab6-0000000072b3 |
>>>>>> TASK | Assign _member_ role to admin project for admin user
>>>>>> 2022-07-13 21:35:45.252884 | 525400ae-089b-870a-fab6-0000000072b3 |
>>>>>> SKIPPED | Assign _member_ role to admin project for admin user | undercloud
>>>>>> 2022-07-13 21:35:45.254283 | 525400ae-089b-870a-fab6-0000000072b3 |
>>>>>> TIMING | tripleo_keystone_resources : Assign _member_ role to admin
>>>>>> project for admin user | undercloud | 0:11:44.346479 | 0.04s
>>>>>> 2022-07-13 21:35:45.270310 | 525400ae-089b-870a-fab6-0000000072b4 |
>>>>>> TASK | Create identity service
>>>>>> 2022-07-13 21:35:46.928715 | 525400ae-089b-870a-fab6-0000000072b4 |
>>>>>> OK | Create identity service | undercloud
>>>>>> 2022-07-13 21:35:46.930167 | 525400ae-089b-870a-fab6-0000000072b4 |
>>>>>> TIMING | tripleo_keystone_resources : Create identity service |
>>>>>> undercloud | 0:11:46.022362 | 1.66s
>>>>>> 2022-07-13 21:35:46.946797 | 525400ae-089b-870a-fab6-0000000072b5 |
>>>>>> TASK | Create identity public endpoint
>>>>>> 2022-07-13 21:35:49.139298 | 525400ae-089b-870a-fab6-0000000072b5 |
>>>>>> OK | Create identity public endpoint | undercloud
>>>>>> 2022-07-13 21:35:49.141158 | 525400ae-089b-870a-fab6-0000000072b5 |
>>>>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>>>>> undercloud | 0:11:48.233349 | 2.19s
>>>>>> 2022-07-13 21:35:49.157768 | 525400ae-089b-870a-fab6-0000000072b6 |
>>>>>> TASK | Create identity internal endpoint
>>>>>> 2022-07-13 21:35:51.566826 | 525400ae-089b-870a-fab6-0000000072b6 |
>>>>>> FATAL | Create identity internal endpoint | undercloud |
>>>>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>>>>> request you have made requires authentication.", "response":
>>>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>> services: Client Error for url: https://[fd00:fd00:fd00:9900::81]:13000/v3/services,
>>>>>> The request you have made requires authentication."}
>>>>>> 2022-07-13 21:35:51.568473 | 525400ae-089b-870a-fab6-0000000072b6 |
>>>>>> TIMING | tripleo_keystone_resources : Create identity internal endpoint |
>>>>>> undercloud | 0:11:50.660654 | 2.41s
>>>>>>
>>>>>> PLAY RECAP
>>>>>> *********************************************************************
>>>>>> localhost : ok=1 changed=0 unreachable=0
>>>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>>>> overcloud-controller-0 : ok=437 changed=103 unreachable=0
>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>> overcloud-controller-1 : ok=435 changed=101 unreachable=0
>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>> overcloud-controller-2 : ok=432 changed=101 unreachable=0
>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>> overcloud-novacompute-0 : ok=345 changed=82 unreachable=0
>>>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>>>> undercloud : ok=39 changed=7 unreachable=0
>>>>>> failed=1 skipped=6 rescued=0 ignored=0
>>>>>>
>>>>>> Also :
>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat server.csr.cnf
>>>>>> [req]
>>>>>> default_bits = 2048
>>>>>> prompt = no
>>>>>> default_md = sha256
>>>>>> distinguished_name = dn
>>>>>> [dn]
>>>>>> C=IN
>>>>>> ST=UTTAR PRADESH
>>>>>> L=NOIDA
>>>>>> O=HSC
>>>>>> OU=HSC
>>>>>> emailAddress=demo at demo.com
>>>>>>
>>>>>> v3.ext:
>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat v3.ext
>>>>>> authorityKeyIdentifier=keyid,issuer
>>>>>> basicConstraints=CA:FALSE
>>>>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>>>>> dataEncipherment
>>>>>> subjectAltName = @alt_names
>>>>>> [alt_names]
>>>>>> IP.1=fd00:fd00:fd00:9900::81
>>>>>>
>>>>>> Using these files we create other certificates.
>>>>>> Please check and let me know in case we need anything else.
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 13, 2022 at 10:00 PM Vikarna Tathe <
>>>>>> vikarnatathe at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Lokendra,
>>>>>>>
>>>>>>> Are you able to access all the tabs in the OpenStack dashboard
>>>>>>> without any error? If not, please retry generating the certificate. Also,
>>>>>>> share the openssl.cnf or server.cnf.
>>>>>>>
>>>>>>> On Wed, 13 Jul 2022 at 18:18, Lokendra Rathour <
>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Team,
>>>>>>>> Any input on this case raised.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Lokendra
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 12, 2022 at 10:18 PM Lokendra Rathour <
>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Shephard/Swogat,
>>>>>>>>> I tried changing the setting as suggested and it looks like it has
>>>>>>>>> failed at step 4 with error:
>>>>>>>>>
>>>>>>>>> :31:32.169420 | 525400ae-089b-fb79-67ac-0000000072ce | TIMING
>>>>>>>>> | tripleo_keystone_resources : Create identity public endpoint | undercloud
>>>>>>>>> | 0:24:47.736198 | 2.21s
>>>>>>>>> 2022-07-12 21:31:32.185594 | 525400ae-089b-fb79-67ac-0000000072cf
>>>>>>>>> | TASK | Create identity internal endpoint
>>>>>>>>> 2022-07-12 21:31:34.468996 | 525400ae-089b-fb79-67ac-0000000072cf
>>>>>>>>> | FATAL | Create identity internal endpoint | undercloud |
>>>>>>>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>>>>>>>> request you have made requires authentication.", "response":
>>>>>>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>>> services: Client Error for url: https://[fd00:fd00:fd00:9900::81]:13000/v3/services,
>>>>>>>>> The request you have made requires authentication."}
>>>>>>>>> 2022-07-12 21:31:34.470415 | 525400ae-089b-fb79-67ac-000000
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Checking further the endpoint list:
>>>>>>>>> I see only one endpoint for keystone is gettin created.
>>>>>>>>>
>>>>>>>>> DeprecationWarning
>>>>>>>>>
>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>> | ID | Region | Service Name |
>>>>>>>>> Service Type | Enabled | Interface | URL
>>>>>>>>> |
>>>>>>>>>
>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>> | 4378dc0a4d8847ee87771699fc7b995e | regionOne | keystone |
>>>>>>>>> identity | True | admin | http://30.30.30.173:35357
>>>>>>>>> |
>>>>>>>>> | 67c829e126944431a06ed0c2b97a295f | regionOne | keystone |
>>>>>>>>> identity | True | internal | http://[fd00:fd00:fd00:2000::326]:5000
>>>>>>>>> |
>>>>>>>>> | 8a9a3de4993c4ff7903caf95b8ae40fa | regionOne | keystone |
>>>>>>>>> identity | True | public | https://[fd00:fd00:fd00:9900::81]:13000
>>>>>>>>> |
>>>>>>>>>
>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> it looks like something related to the SSL, we have also verified
>>>>>>>>> that the GUI login screen shows that Certificates are applied.
>>>>>>>>> exploring more in logs, meanwhile any suggestions or know
>>>>>>>>> observation would be of great help.
>>>>>>>>> thanks again for the support.
>>>>>>>>>
>>>>>>>>> Best Regards,
>>>>>>>>> Lokendra
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat, Jul 9, 2022 at 11:24 AM Swogat Pradhan <
>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I had faced a similar kind of issue, for ip based setup you need
>>>>>>>>>> to specify the domain name as the ip that you are going to use, this error
>>>>>>>>>> is showing up because the ssl is ip based but the fqdns seems to be
>>>>>>>>>> undercloud.com or overcloud.example.com.
>>>>>>>>>> I think for undercloud you can change the undercloud.conf.
>>>>>>>>>>
>>>>>>>>>> And will it work if we specify clouddomain parameter to the IP
>>>>>>>>>> address for overcloud? because it seems he has not specified the
>>>>>>>>>> clouddomain parameter and overcloud.example.com is the default
>>>>>>>>>> domain for overcloud.example.com.
>>>>>>>>>>
>>>>>>>>>> On Fri, 8 Jul 2022, 6:01 pm Swogat Pradhan, <
>>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> What is the domain name you have specified in the
>>>>>>>>>>> undercloud.conf file?
>>>>>>>>>>> And what is the fqdn name used for the generation of the SSL
>>>>>>>>>>> cert?
>>>>>>>>>>>
>>>>>>>>>>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <
>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>> We were trying to install overcloud with SSL enabled for which
>>>>>>>>>>>> the UC is installed, but OC install is getting failed at step 4:
>>>>>>>>>>>>
>>>>>>>>>>>> ERROR
>>>>>>>>>>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>> match 'undercloud.com'\",),))\n", "module_stdout": "", "msg":
>>>>>>>>>>>> "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>> 2022-07-08 17:03:23.606739 |
>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | FATAL | Clean up legacy Cinder
>>>>>>>>>>>> keystone catalog entries | undercloud | item={'service_name': 'cinderv3',
>>>>>>>>>>>> 'service_type': 'volume'} | error={"ansible_index_var":
>>>>>>>>>>>> "cinder_api_service", "ansible_loop_var": "item", "changed": false,
>>>>>>>>>>>> "cinder_api_service": 1, "item": {"service_name": "cinderv3",
>>>>>>>>>>>> "service_type": "volume"}, "module_stderr": "Failed to discover available
>>>>>>>>>>>> identity versions when contacting https://[fd00:fd00:fd00:9900::2ef]:13000.
>>>>>>>>>>>> Attempting to parse version from URL.\nTraceback (most recent call last):\n
>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line
>>>>>>>>>>>> 600, in urlopen\n chunked=chunked)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>>>>>>>>>>> in _make_request\n self._validate_conn(conn)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>>>>>>>>>>> in _validate_conn\n conn.connect()\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>>>>>>>>>>> connect\n _match_hostname(cert, self.assert_hostname or
>>>>>>>>>>>> server_hostname)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>>>>>>>>>>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>>>>>>>>>>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>>>>>>>>>>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>>>>>>>>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>>>>>>>>>>> handling of the above exception, another exception occurred:\n\nTraceback
>>>>>>>>>>>> (most recent call last):\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>>>>>>>>>>> send\n timeout=timeout\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>>>>>>>>>>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>>>>>>>>>>> increment\n raise MaxRetryError(_pool, url, error or
>>>>>>>>>>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>> last):\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>>>>>>>>>>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>>>>>>>>>>> in request\n resp = self.send(prep, **send_kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>>>>>>>>>>> send\n r = adapter.send(request, **kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>>>>>>>>>>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>> last):\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>> line 138, in _do_create_plugin\n authenticated=False)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>> 610, in get_discovery\n authenticated=authenticated)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>>>>>>>>>>> in get_discovery\n disc = Discover(session, url,
>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>>>>>>>>>>> in __init__\n authenticated=authenticated)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>>>>>>>>>>> in get_version_data\n resp = session.get(url, headers=headers,
>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>>>>>>>>>>> in get\n return self.request(url, 'GET', **kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>>>>>>>>>>> request\n resp = send(**kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>>>>>>>>>>> in _send_request\n raise
>>>>>>>>>>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>>>>>>>>>>> exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the above
>>>>>>>>>>>> exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>> last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line
>>>>>>>>>>>> 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n
>>>>>>>>>>>> File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>>>>>>>>>> return _run_module_code(code, init_globals, run_name, mod_spec)\n File
>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>>>>>>>>>> mod_name, mod_spec, pkg_name, script_name)\n File
>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>>>>>>>>>>>> run_globals)\n File
>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>> line 185, in <module>\n File
>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>> line 181, in main\n File
>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>>>>>>>>>>> line 407, in __call__\n File
>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>> line 141, in run\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>> 517, in search_services\n services = self.list_services()\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>>>>>>>>>>>> File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>>>>>>>>>>> line 32, in _identity_client\n 'identity', min_version=2,
>>>>>>>>>>>> max_version='3.latest')\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>>>>>>>>>>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>>>>>>>>>>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>> 271, in get_endpoint_data\n service_catalog =
>>>>>>>>>>>> self.get_access(session).service_catalog\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>> line 206, in get_auth_ref\n self._plugin =
>>>>>>>>>>>> self._do_create_plugin(session)\n File
>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>> line 161, in _do_create_plugin\n 'auth_url is correct. %s'
>>>>>>>>>>>> % e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find
>>>>>>>>>>>> versioned identity endpoints when attempting to authenticate. Please check
>>>>>>>>>>>> that your auth_url is correct. SSL exception connecting to https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>> match 'overcloud.example.com'\",),))\n", "module_stdout": "",
>>>>>>>>>>>> "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>> 2022-07-08 17:03:23.609354 |
>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.271914 | 2.47s
>>>>>>>>>>>> 2022-07-08 17:03:23.611094 |
>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.273659 | 2.47s
>>>>>>>>>>>>
>>>>>>>>>>>> PLAY RECAP
>>>>>>>>>>>> *********************************************************************
>>>>>>>>>>>> localhost : ok=0 changed=0 unreachable=0
>>>>>>>>>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>>>>>>>>>> overcloud-controller-0 : ok=437 changed=104 unreachable=0
>>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>> overcloud-controller-1 : ok=436 changed=101 unreachable=0
>>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>> overcloud-controller-2 : ok=431 changed=101 unreachable=0
>>>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>> overcloud-novacompute-0 : ok=345 changed=83 unreachable=0
>>>>>>>>>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>>>>>>>>>> undercloud : ok=28 changed=7 unreachable=0
>>>>>>>>>>>> failed=1 skipped=3 rescued=0 ignored=0
>>>>>>>>>>>> 2022-07-08 17:03:23.647270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>> Summary Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>> 2022-07-08 17:03:23.647907 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>> Total Tasks: 1373 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> in the deploy.sh:
>>>>>>>>>>>>
>>>>>>>>>>>> openstack overcloud deploy --templates \
>>>>>>>>>>>> -r /home/stack/templates/roles_data.yaml \
>>>>>>>>>>>> --networks-file
>>>>>>>>>>>> /home/stack/templates/custom_network_data.yaml \
>>>>>>>>>>>> --vip-file /home/stack/templates/custom_vip_data.yaml \
>>>>>>>>>>>> --baremetal-deployment
>>>>>>>>>>>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>>>>>>>>>> --network-config \
>>>>>>>>>>>> -e /home/stack/templates/environment.yaml \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e /home/stack/templates/ironic-config.yaml \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>>>>>>>>>>> \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>>>>>>>>>> -e
>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>>>>>>>>>> -e /home/stack/containers-prepare-parameter.yaml
>>>>>>>>>>>>
>>>>>>>>>>>> Addition lines as highlighted in yellow were passed with
>>>>>>>>>>>> modifications:
>>>>>>>>>>>> tls-endpoints-public-ip.yaml:
>>>>>>>>>>>> Passed as is in the defaults.
>>>>>>>>>>>> enable-tls.yaml:
>>>>>>>>>>>>
>>>>>>>>>>>> #
>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>> # This file was created automatically by the sample environment
>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to update
>>>>>>>>>>>> it.
>>>>>>>>>>>> # Users are recommended to make changes to a copy of the file
>>>>>>>>>>>> instead
>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>> #
>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>> # title: Enable SSL on OpenStack Public Endpoints
>>>>>>>>>>>> # description: |
>>>>>>>>>>>> # Use this environment to pass in certificates for SSL
>>>>>>>>>>>> deployments.
>>>>>>>>>>>> # For these values to take effect, one of the
>>>>>>>>>>>> tls-endpoints-*.yaml
>>>>>>>>>>>> # environments must also be used.
>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
>>>>>>>>>>>> # Type: boolean
>>>>>>>>>>>> HorizonSecureCookies: True
>>>>>>>>>>>>
>>>>>>>>>>>> # Specifies the default CA cert to use if TLS is used for
>>>>>>>>>>>> services in the public network.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> PublicTLSCAFile:
>>>>>>>>>>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>>>>>>>>>>
>>>>>>>>>>>> # The content of the SSL certificate (without Key) in PEM
>>>>>>>>>>>> format.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>
>>>>>>>>>>>> SSLCertificate: |
>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>> # The content of an SSL intermediate CA certificate in PEM
>>>>>>>>>>>> format.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> SSLIntermediateCertificate: ''
>>>>>>>>>>>>
>>>>>>>>>>>> # The content of the SSL Key in PEM format.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> SSLKey: |
>>>>>>>>>>>> -----BEGIN PRIVATE KEY-----
>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>> -----END PRIVATE KEY-----
>>>>>>>>>>>>
>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>> # Static parameters - these are values that must be
>>>>>>>>>>>> # included in the environment but should not be changed.
>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>> # The filepath of the certificate as it will be stored in the
>>>>>>>>>>>> controller.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> DeployedSSLCertificatePath:
>>>>>>>>>>>> /etc/pki/tls/private/overcloud_endpoint.pem
>>>>>>>>>>>>
>>>>>>>>>>>> # *********************
>>>>>>>>>>>> # End static parameters
>>>>>>>>>>>> # *********************
>>>>>>>>>>>>
>>>>>>>>>>>> inject-trust-anchor.yaml
>>>>>>>>>>>>
>>>>>>>>>>>> #
>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>> # This file was created automatically by the sample environment
>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to update
>>>>>>>>>>>> it.
>>>>>>>>>>>> # Users are recommended to make changes to a copy of the file
>>>>>>>>>>>> instead
>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>> #
>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>>>>>>>>>>> # description: |
>>>>>>>>>>>> # When using an SSL certificate signed by a CA that is not in
>>>>>>>>>>>> the default
>>>>>>>>>>>> # list of CAs, this environment allows adding a custom CA
>>>>>>>>>>>> certificate to
>>>>>>>>>>>> # the overcloud nodes.
>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>> # The content of a CA's SSL certificate file in PEM format.
>>>>>>>>>>>> This is evaluated on the client side.
>>>>>>>>>>>> # Mandatory. This parameter must be set by the user.
>>>>>>>>>>>> # Type: string
>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>
>>>>>>>>>>>> resource_registry:
>>>>>>>>>>>> OS::TripleO::NodeTLSCAData:
>>>>>>>>>>>> ../../puppet/extraconfig/tls/ca-inject.yaml
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> The procedure to create such files was followed using:
>>>>>>>>>>>> Deploying with SSL — TripleO 3.0.0 documentation (openstack.org)
>>>>>>>>>>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>>>>>>>>>>
>>>>>>>>>>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed
>>>>>>>>>>>> IP-based certificate, without DNS. *
>>>>>>>>>>>>
>>>>>>>>>>>> Any idea around this error would be of great help.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> skype: lokendrarathour
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> ~ Lokendra
>>>>>> skype: lokendrarathour
>>>>>>
>>>>>>
>>>>>>
>>>
>>> --
>>> ~ Lokendra
>>> skype: lokendrarathour
>>>
>>>
>>>
>
> --
> ~ Lokendra
> skype: lokendrarathour
>
>
>
--
~ Lokendra
skype: lokendrarathour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220720/d69358c2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 81010 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220720/d69358c2/attachment-0001.png>
More information about the openstack-discuss
mailing list
