[Triple0 - Wallaby] Overcloud deployment getting failed with SSL
Lokendra Rathour
lokendrarathour at gmail.com
Thu Jul 28 04:32:07 UTC 2022
Hi Brendan,
Thanks for the advice.
bug is reported:
https://bugs.launchpad.net/tripleo/+bug/1982996
On Thu, Jul 28, 2022 at 5:34 AM Brendan Shephard <bshephar at redhat.com>
wrote:
> Hey,
>
> It’s probably best that you raise a bug here at this stage:
> https://bugs.launchpad.net/tripleo
>
> Can you attach all of the templates you’re using to that bug, the
> overcloud deploy command script that you’re running and also the log files
> that you have shared here?
>
> I wasn’t able to reproduce your issue, but if you raise a bug we can
> direct it to the right team who can help out with your keystone errors.
>
> Brendan Shephard
> Senior Software Engineer
> Brisbane, Australia
>
>
>
> On 28 Jul 2022, at 2:55 am, Lokendra Rathour <lokendrarathour at gmail.com>
> wrote:
>
> Hi Team,
> I tried again with DNS enabled, but the error remains the same.
>
> tone_resources : Create identity public endpoint | undercloud |
> 0:24:59.456181 | 2.31s
> 2022-07-27 15:20:48.735838 | 5254006e-bbd1-cd20-647c-00000000736c |
> TASK | Create identity internal endpoint
> 2022-07-27 15:20:51.227000 | 5254006e-bbd1-cd20-647c-00000000736c |
> FATAL | Create identity internal endpoint | undercloud | error={"changed":
> false, "extra_data": {"data": null, "details": "The request you have made
> requires authentication.", "response":
> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to
> list services: Client Error for url: https://overcloud-publ
> ic.myhsc.com:13000/v3/services, The request you have made requires
> authentication."}
>
> Checking further in the keystone logs in container:
>
>
> 2022-07-27 19:35:37.447 33 WARNING keystone.server.flask.application
> [req-bb4621d8-73ad-4bad-831f-5c2370e92e71 - - - - -] Authorization failed.
> The request you have made requires authentication. from
> fd00:fd00:fd00:9900::29: keystone.exception.Unauthorized: The request you
> have made requires authentication.
> 2022-07-27 19:35:37.998 26 WARNING py.warnings
> [req-54d44e3a-5e34-4e40-b2dc-e8213353ea05 ab5e9670632544f8a8c7e1b3ac175bcd
> e4185872cadb442aa9a59980b3227941 - default default]
> /usr/lib/python3.6/site-packages/oslo_policy/policy.py:1065: UserWarning:
> Policy identity:list_projects failed scope check. The token used to make
> the request was project scoped but the policy requires ['system', 'domain']
> scope. This behavior may change in the future where using the intended
> scope is required
>
> I am kind of blocked now, any lead would let me understand the problem
> more and maybe it can solve the issue.
>
> Best Regards,
> Lokendra
>
> On Mon, Jul 25, 2022 at 3:12 PM Lokendra Rathour <
> lokendrarathour at gmail.com> wrote:
>
>> Hi Brendan,
>> Apologies for this delay, i had to redo the setup to reach this point,
>> and also this time just to eliminate my Doubt i removed SSL for overcloud.
>> Now I am only using DNS Server. In this case also I am getting the same
>> error.
>>
>> | 0:13:20.198877 | 1.86s
>> 2022-07-25 14:37:29.657118 | 525400a7-0932-2ed1-d313-000000007193 |
>> TASK | Create identity internal endpoint
>> 2022-07-25 14:37:31.995131 | 525400a7-0932-2ed1-d313-000000007193 |
>> FATAL | Create identity internal endpoint | undercloud | error={"changed":
>> false, "extra_data": {"data": null, "details": "The request you have made
>> requires authentication.", "response":
>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>> services: Client Error for url:
>> http://[fd00:fd00:fd00:9900::a0]:5000/v3/services, The request you have
>> made requires authentication."}
>>
>>
>> To answer your question please note:
>>
>> "OS_CLOUD=overcloud openstack endpoint list"
>>
>> [root at GGNLABPM4 ~]# ssh stack at 10.0.1.29
>> stack at 10.0.1.29's password:
>> Activate the web console with: systemctl enable --now cockpit.socket
>>
>> Last login: Mon Jul 25 14:38:44 2022 from 10.0.1.4
>> [stack at undercloud ~]$ OS_CLOUD=overcloud openstack endpoint list
>>
>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>> | ID | Region | Service Name | Service
>> Type | Enabled | Interface | URL |
>>
>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>> | 1ecd328b5ea1426bb411d157b8339dd2 | regionOne | keystone | identity
>> | True | public | http://[fd00:fd00:fd00:9900::a0]:5000 |
>> | 518cfa0f2ece43b684710006c9fa5b25 | regionOne | keystone | identity
>> | True | admin | http://30.30.30.181:35357 |
>> | 8cda413052c24718b073578bb497f483 | regionOne | keystone | identity
>> | True | internal | http://[fd00:fd00:fd00:2000::a0]:5000 |
>>
>> +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------+
>> [stack at undercloud ~]$
>>
>>
>> it is giving us only keystone endpoints.
>>
>> Also note that I am trying to deploy the end to end setup with FQDN only.
>> and in this case as well I am facing the same issue as old.
>>
>> thanks once again for your inputs.
>>
>> -Lokendra
>>
>>
>>
>> On Wed, Jul 20, 2022 at 3:07 PM Brendan Shephard <bshephar at redhat.com>
>> wrote:
>>
>>> Hey,
>>>
>>> I think it's weird that you got a response at all when you run the
>>> openstack endpoint list, since you said haproxy isn't running. So there
>>> should be nothing serving that endpoint.
>>>
>>> I noticed you have the stackrc file sourced. Try it again without that
>>> file sourced, so:
>>> $ su - stack
>>> $ OS_CLOUD=overcloud openstack endpoint list
>>>
>>> I would suspect that nothing should be responding. It could be the
>>> stackrc file causing issues with some of the environment variables. If the
>>> above command doesn't return anything, then my suggestion would be to
>>> re-run the deployment like this:
>>>
>>> $ su - stack
>>> $ export OS_CLOUD=undercloud
>>> # Then run your deployment script again
>>> $ bash overcloud_deploy.sh
>>>
>>> The OS_CLOUD variable tells the openstackclient to lookup the details
>>> about that cloud from your clouds.yaml file. Which will be located in
>>> /home/stack/.config/openstack/clouds.yaml.
>>>
>>> This method is preferable to the sourcing of RC files.
>>>
>>> Reference:
>>>
>>> https://docs.openstack.org/openstacksdk/latest/user/guides/connect_from_config.html
>>>
>>> Regarding the HAProxy warnings. I don't think they should be fatal.
>>> afaik, HAProxy should still be starting. If it's not, there might be
>>> another error that you will need to look for in the log files under
>>> /var/log/containers/haproxy/
>>>
>>> I wasn't able to reproduce that warning by following the documentation
>>> for enabling TLS though. So it seems like an odd error to be getting.
>>>
>>> Brendan Shephard
>>> Software Engineer
>>>
>>> Red Hat APAC <https://www.redhat.com/>
>>> 193 N Quay
>>> Brisbane City QLD 4000
>>> @RedHat <https://twitter.com/redhat> Red Hat
>>> <https://www.linkedin.com/company/red-hat> Red Hat
>>> <https://www.facebook.com/RedHatInc>
>>> <https://red.ht/sig>
>>> <https://redhat.com/summit>
>>>
>>>
>>> On Wed, Jul 20, 2022 at 7:02 PM Lokendra Rathour <
>>> lokendrarathour at gmail.com> wrote:
>>>
>>>> Hi Brendan / Team,
>>>> Any lead for the issue raised?
>>>>
>>>> -Lokendra
>>>>
>>>>
>>>>
>>>> On Tue, Jul 19, 2022 at 11:46 AM Lokendra Rathour <
>>>> lokendrarathour at gmail.com> wrote:
>>>>
>>>>> Hi Brendan,,
>>>>> Thanks for the inputs.
>>>>> when i run the command as you suggested I get this:
>>>>>
>>>>> (undercloud) [stack at undercloud ~]$ OS_CLOUD=overcloud openstack
>>>>> endpoint list
>>>>>
>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>> | ID | Region | Service Name |
>>>>> Service Type | Enabled | Interface | URL
>>>>> |
>>>>>
>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>> | 1bfe43c9cf174bd8a01a3a681538766a | regionOne | keystone |
>>>>> identity | True | internal |
>>>>> http://[fd00:fd00:fd00:2000::326]:5000 |
>>>>> | 707e92fc11df4a74bceb5e48f2561357 | regionOne | keystone |
>>>>> identity | True | admin | http://30.30.30.173:35357
>>>>> |
>>>>> | fab4e66170c8402f899c5f43fd4c39fe | regionOne | keystone |
>>>>> identity | True | public | https://overcloud-hsc.com:13000
>>>>> |
>>>>>
>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------+
>>>>> (undercloud) [stack at undercloud ~]$
>>>>>
>>>>>
>>>>> On the other note that i notices was as below:
>>>>>
>>>>> - HAproxy container is not running.
>>>>> - [root at overcloud-controller-2 stdouts]# podman ps -a | grep
>>>>> haproxy
>>>>> e91dbde042db
>>>>> undercloud.ctlplane.localdomain:8787/tripleowallaby/openstack-haproxy:current-tripleo
>>>>> 24 hours ago Exited (1) Less than a
>>>>> second ago container-puppet-haproxy\
>>>>> - Checking logs:
>>>>> - 2022-07-19T08:47:00.496212294+05:30 stderr F + ARGS=
>>>>> 2022-07-19T08:47:00.496300242+05:30 stderr F + [[ ! -n '' ]]
>>>>> 2022-07-19T08:47:00.496323705+05:30 stderr F + .
>>>>> kolla_extend_start
>>>>> 2022-07-19T08:47:00.496578173+05:30 stderr F + echo 'Running
>>>>> command: '\''bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper
>>>>> ]; then exec /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg;
>>>>> else exec /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'\'''
>>>>> 2022-07-19T08:47:00.496605469+05:30 stdout F Running command:
>>>>> 'bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then exec
>>>>> /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg; else exec
>>>>> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi'
>>>>> 2022-07-19T08:47:00.496895618+05:30 stderr F + exec bash -c
>>>>> '$*' -- eval if '[' -f /usr/sbin/haproxy-systemd-wrapper '];' then exec
>>>>> /usr/sbin/haproxy-systemd-wrapper -f '/etc/haproxy/haproxy.cfg;' else exec
>>>>> /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg '-Ws;' fi
>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:28] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13776' :
>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.513182490+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> automatically2022-07-19T08:47:00.513967576+05:30 stderr F
>>>>> [WARNING] 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:45] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13292' :
>>>>> 2022-07-19T08:47:00.513967576+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.513967576+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13004' :
>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.514736662+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:89] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13005' :
>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.515461787+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.516167406+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:108] : 'bind
>>>>> fd00:fd00:fd00:2000::326:443' :
>>>>> - 2022-07-19T08:47:00.517937930+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:172] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13000' :
>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.518534123+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:201] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13696' :
>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.519127743+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:233] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13080' :
>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.519734281+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:250] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13774' :
>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.520285158+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:266] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13778' :
>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.520830405+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : parsing [/etc/haproxy/haproxy.cfg:281] : 'bind
>>>>> fd00:fd00:fd00:9900::81:13808' :
>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F unable to load
>>>>> default 1024 bits DH parameter for certificate
>>>>> '/etc/pki/tls/private/overcloud_endpoint.pem'.
>>>>> 2022-07-19T08:47:00.521517271+05:30 stderr F , SSL library
>>>>> will use an automatically generated DH parameter.
>>>>> 2022-07-19T08:47:00.524065508+05:30 stderr F [WARNING]
>>>>> 199/084700 (7) : Setting tune.ssl.default-dh-param to 1024 by default, if
>>>>> your workload permits it you should set it to at least 2048. Please set a
>>>>> value >= 1024 to make this warning disappear.
>>>>> - pcs status also show that proxy is down for the controller
>>>>> with VIP:
>>>>> - Failed Resource Actions:
>>>>> * haproxy-bundle-podman-2_start_0 on overcloud-controller-2
>>>>> 'error' (1): call=139, status='complete', exitreason='podman failed to
>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 15:14:34 2022',
>>>>> queued=0ms, exec=1222ms
>>>>> * haproxy-bundle-podman-1_start_0 on overcloud-controller-1
>>>>> 'error' (1): call=191, status='complete', exitreason='podman failed to
>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:17 2022',
>>>>> queued=0ms, exec=1171ms
>>>>> * haproxy-bundle-podman-2_start_0 on overcloud-controller-1
>>>>> 'error' (1): call=193, status='complete', exitreason='podman failed to
>>>>> launch container (rc: 1)', last-rc-change='Mon Jul 18 23:54:20 2022',
>>>>> queued=0ms, exec=1256ms
>>>>>
>>>>> do let me know in case we need anything more around it.
>>>>> thanks once again for the support.
>>>>> -Lokendra
>>>>>
>>>>> On Tue, Jul 19, 2022 at 11:07 AM Brendan Shephard <bshephar at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hey,
>>>>>>
>>>>>> Doesn't look like there is anything wrong with the certificate there.
>>>>>> You would be getting a TLS error if that was the problem.
>>>>>>
>>>>>> What does your clouds.yaml file look like now? What happens if you
>>>>>> run this command from the Undercloud node:
>>>>>> $ OS_CLOUD=overcloud openstack endpoint list
>>>>>>
>>>>>> Do you get the same error?
>>>>>>
>>>>>> Brendan Shephard
>>>>>> Software Engineer
>>>>>>
>>>>>> Red Hat APAC <https://www.redhat.com/>
>>>>>> 193 N Quay
>>>>>> Brisbane City QLD 4000
>>>>>> @RedHat <https://twitter.com/redhat> Red Hat
>>>>>> <https://www.linkedin.com/company/red-hat> Red Hat
>>>>>> <https://www.facebook.com/RedHatInc>
>>>>>> <https://red.ht/sig>
>>>>>> <https://redhat.com/summit>
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 19, 2022 at 1:28 PM Lokendra Rathour <
>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Swogat and Vikarna,
>>>>>>> We have tried adding the DNS entry for the overcloud domain. we are
>>>>>>> getting the same error:
>>>>>>>
>>>>>>> 022-07-19 00:09:41.491498 | 525400ae-089b-c832-8e34-00000000704f |
>>>>>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>>>>>> undercloud | 0:11:18.785769 | 2.16s
>>>>>>> 2022-07-19 00:09:41.507319 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>> TASK | Create identity internal endpoint
>>>>>>> 2022-07-19 00:09:43.778910 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>> FATAL | Create identity internal endpoint | undercloud |
>>>>>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>>>>>> request you have made requires authentication.", "response":
>>>>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>> services: Client Error for url:
>>>>>>> https://overcloud-hsc.com:13000/v3/services, The request you have
>>>>>>> made requires authentication."}
>>>>>>> 2022-07-19 00:09:43.780306 | 525400ae-089b-c832-8e34-000000007050 |
>>>>>>> TIMING | tripleo_keystone_resources : Create identity internal endpoint
>>>>>>> | undercloud | 0:11:21.074605 | 2.
>>>>>>>
>>>>>>>
>>>>>>> Certificate configs:
>>>>>>>
>>>>>>> [stack at undercloud oc-domain-name]$ cat server.csr.cnf
>>>>>>> [req]
>>>>>>> default_bits = 2048
>>>>>>> prompt = no
>>>>>>> default_md = sha256
>>>>>>> distinguished_name = dn
>>>>>>> [dn]
>>>>>>> C=IN
>>>>>>> ST=UTTAR PRADESH
>>>>>>> L=NOIDA
>>>>>>> O=HSC
>>>>>>> OU=HSC
>>>>>>> emailAddress=demo at demo.com
>>>>>>> CN=overcloud-hsc.com
>>>>>>> [stack at undercloud oc-domain-name]$ cat v3.ext
>>>>>>> authorityKeyIdentifier=keyid,issuer
>>>>>>> basicConstraints=CA:FALSE
>>>>>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>>>>>> dataEncipherment
>>>>>>> subjectAltName = @alt_names
>>>>>>> [alt_names]
>>>>>>> DNS.1=overcloud-hsc.com
>>>>>>> [stack at undercloud oc-domain-name]$
>>>>>>>
>>>>>>> the difference we see from others is that we are using self-signed
>>>>>>> certificates.
>>>>>>>
>>>>>>> please let me know in case we need to check something else. Somehow
>>>>>>> this issue remains stuck.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jul 15, 2022 at 2:17 AM Swogat Pradhan <
>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>
>>>>>>>> I was facing a similar kind of issue.
>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2089442
>>>>>>>> Here is the solution that helped me fix it.
>>>>>>>> Also make sure the cn that you will use is reachable from
>>>>>>>> undercloud (maybe) script should take care of it.
>>>>>>>>
>>>>>>>> Also please follow Mr. Tathe's mail to add the cn first.
>>>>>>>>
>>>>>>>> With regards
>>>>>>>> Swogat Pradhan
>>>>>>>>
>>>>>>>> On Thu, Jul 14, 2022 at 8:49 AM Vikarna Tathe <
>>>>>>>> vikarnatathe at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Lokendra,
>>>>>>>>>
>>>>>>>>> The CN field is missing. Can you add that and generate the
>>>>>>>>> certificate again.
>>>>>>>>>
>>>>>>>>> CN=ipaddress
>>>>>>>>>
>>>>>>>>> Also add dns.1=ipaddress under alt_names for precaution.
>>>>>>>>>
>>>>>>>>> Vikarna
>>>>>>>>>
>>>>>>>>> On Wed, 13 Jul, 2022, 23:02 Lokendra Rathour, <
>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> HI Vikarna,
>>>>>>>>>> Thanks for the inputs.
>>>>>>>>>> I am note able to access any tabs in GUI.
>>>>>>>>>> <image.png>
>>>>>>>>>>
>>>>>>>>>> to re-state, we are failing at the time of deployment at step4 :
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> PLAY [External deployment step 4]
>>>>>>>>>> **********************************************
>>>>>>>>>> 2022-07-13 21:35:22.505148 | 525400ae-089b-870a-fab6-0000000000d7
>>>>>>>>>> | TASK | External deployment step 4
>>>>>>>>>> 2022-07-13 21:35:22.534899 | 525400ae-089b-870a-fab6-0000000000d7
>>>>>>>>>> | OK | External deployment step 4 | undercloud -> localhost |
>>>>>>>>>> result={
>>>>>>>>>> "changed": false,
>>>>>>>>>> "msg": "Use --start-at-task 'External deployment step 4' to
>>>>>>>>>> resume from this task"
>>>>>>>>>> }
>>>>>>>>>> [WARNING]: ('undercloud -> localhost',
>>>>>>>>>> '525400ae-089b-870a-fab6-0000000000d7')
>>>>>>>>>> missing from stats
>>>>>>>>>> 2022-07-13 21:35:22.591268 | 525400ae-089b-870a-fab6-0000000000d8
>>>>>>>>>> | TIMING | include_tasks | undercloud | 0:11:21.683453 | 0.04s
>>>>>>>>>> 2022-07-13 21:35:22.605901 | f29c4b58-75a5-4993-97b8-3921a49d79d7
>>>>>>>>>> | INCLUDED |
>>>>>>>>>> /home/stack/overcloud-deploy/overcloud/config-download/overcloud/external_deploy_steps_tasks_step4.yaml
>>>>>>>>>> | undercloud
>>>>>>>>>> 2022-07-13 21:35:22.627112 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | TASK | Clean up legacy Cinder keystone catalog entries
>>>>>>>>>> 2022-07-13 21:35:25.110635 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | OK | Clean up legacy Cinder keystone catalog entries | undercloud
>>>>>>>>>> | item={'service_name': 'cinderv2', 'service_type': 'volumev2'}
>>>>>>>>>> 2022-07-13 21:35:25.112368 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | TIMING | Clean up legacy Cinder keystone catalog entries | undercloud
>>>>>>>>>> | 0:11:24.204562 | 2.48s
>>>>>>>>>> 2022-07-13 21:35:27.029270 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | OK | Clean up legacy Cinder keystone catalog entries | undercloud
>>>>>>>>>> | item={'service_name': 'cinderv3', 'service_type': 'volume'}
>>>>>>>>>> 2022-07-13 21:35:27.030383 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | TIMING | Clean up legacy Cinder keystone catalog entries | undercloud
>>>>>>>>>> | 0:11:26.122584 | 4.40s
>>>>>>>>>> 2022-07-13 21:35:27.032091 | 525400ae-089b-870a-fab6-000000007239
>>>>>>>>>> | TIMING | Clean up legacy Cinder keystone catalog entries | undercloud
>>>>>>>>>> | 0:11:26.124296 | 4.40s
>>>>>>>>>> 2022-07-13 21:35:27.047913 | 525400ae-089b-870a-fab6-00000000723c
>>>>>>>>>> | TASK | Manage Keystone resources for OpenStack services
>>>>>>>>>> 2022-07-13 21:35:27.077672 | 525400ae-089b-870a-fab6-00000000723c
>>>>>>>>>> | TIMING | Manage Keystone resources for OpenStack services |
>>>>>>>>>> undercloud | 0:11:26.169842 | 0.03s
>>>>>>>>>> 2022-07-13 21:35:27.120270 | 525400ae-089b-870a-fab6-00000000726b
>>>>>>>>>> | TASK | Gather variables for each operating system
>>>>>>>>>> 2022-07-13 21:35:27.161225 | 525400ae-089b-870a-fab6-00000000726b
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Gather variables for each
>>>>>>>>>> operating system | undercloud | 0:11:26.253383 | 0.04s
>>>>>>>>>> 2022-07-13 21:35:27.177798 | 525400ae-089b-870a-fab6-00000000726c
>>>>>>>>>> | TASK | Create Keystone Admin resources
>>>>>>>>>> 2022-07-13 21:35:27.207430 | 525400ae-089b-870a-fab6-00000000726c
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create Keystone Admin resources
>>>>>>>>>> | undercloud | 0:11:26.299608 | 0.03s
>>>>>>>>>> 2022-07-13 21:35:27.230985 | 46e05e2d-2e9c-467b-ac4f-c5f0bc7286b3
>>>>>>>>>> | INCLUDED |
>>>>>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/admin.yml |
>>>>>>>>>> undercloud
>>>>>>>>>> 2022-07-13 21:35:27.256076 | 525400ae-089b-870a-fab6-0000000072ad
>>>>>>>>>> | TASK | Create default domain
>>>>>>>>>> 2022-07-13 21:35:29.343399 | 525400ae-089b-870a-fab6-0000000072ad
>>>>>>>>>> | OK | Create default domain | undercloud
>>>>>>>>>> 2022-07-13 21:35:29.345172 | 525400ae-089b-870a-fab6-0000000072ad
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create default domain |
>>>>>>>>>> undercloud | 0:11:28.437360 | 2.09s
>>>>>>>>>> 2022-07-13 21:35:29.361643 | 525400ae-089b-870a-fab6-0000000072ae
>>>>>>>>>> | TASK | Create admin and service projects
>>>>>>>>>> 2022-07-13 21:35:29.391295 | 525400ae-089b-870a-fab6-0000000072ae
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create admin and service
>>>>>>>>>> projects | undercloud | 0:11:28.483468 | 0.03s
>>>>>>>>>> 2022-07-13 21:35:29.402539 | af7a4a76-4998-4679-ac6f-58acc0867554
>>>>>>>>>> | INCLUDED |
>>>>>>>>>> /usr/share/ansible/roles/tripleo_keystone_resources/tasks/projects.yml |
>>>>>>>>>> undercloud
>>>>>>>>>> 2022-07-13 21:35:29.428918 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | TASK | Async creation of Keystone project
>>>>>>>>>> 2022-07-13 21:35:30.144295 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | CHANGED | Async creation of Keystone project | undercloud | item=admin
>>>>>>>>>> 2022-07-13 21:35:30.145884 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Async creation of Keystone
>>>>>>>>>> project | undercloud | 0:11:29.238078 | 0.72s
>>>>>>>>>> 2022-07-13 21:35:30.493458 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | CHANGED | Async creation of Keystone project | undercloud |
>>>>>>>>>> item=service
>>>>>>>>>> 2022-07-13 21:35:30.494386 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Async creation of Keystone
>>>>>>>>>> project | undercloud | 0:11:29.586587 | 1.06s
>>>>>>>>>> 2022-07-13 21:35:30.495729 | 525400ae-089b-870a-fab6-000000007304
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Async creation of Keystone
>>>>>>>>>> project | undercloud | 0:11:29.587916 | 1.07s
>>>>>>>>>> 2022-07-13 21:35:30.511748 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | TASK | Check Keystone project status
>>>>>>>>>> 2022-07-13 21:35:30.908189 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | WAITING | Check Keystone project status | undercloud | 30 retries left
>>>>>>>>>> 2022-07-13 21:35:36.166541 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | OK | Check Keystone project status | undercloud | item=admin
>>>>>>>>>> 2022-07-13 21:35:36.168506 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>>>>>> undercloud | 0:11:35.260666 | 5.66s
>>>>>>>>>> 2022-07-13 21:35:36.400914 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | OK | Check Keystone project status | undercloud | item=service
>>>>>>>>>> 2022-07-13 21:35:36.402534 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>>>>>> undercloud | 0:11:35.494729 | 5.89s
>>>>>>>>>> 2022-07-13 21:35:36.406576 | 525400ae-089b-870a-fab6-000000007306
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Check Keystone project status |
>>>>>>>>>> undercloud | 0:11:35.498771 | 5.89s
>>>>>>>>>> 2022-07-13 21:35:36.427719 | 525400ae-089b-870a-fab6-0000000072af
>>>>>>>>>> | TASK | Create admin role
>>>>>>>>>> 2022-07-13 21:35:38.632266 | 525400ae-089b-870a-fab6-0000000072af
>>>>>>>>>> | OK | Create admin role | undercloud
>>>>>>>>>> 2022-07-13 21:35:38.633754 | 525400ae-089b-870a-fab6-0000000072af
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create admin role | undercloud
>>>>>>>>>> | 0:11:37.725949 | 2.20s
>>>>>>>>>> 2022-07-13 21:35:38.649721 | 525400ae-089b-870a-fab6-0000000072b0
>>>>>>>>>> | TASK | Create _member_ role
>>>>>>>>>> 2022-07-13 21:35:38.689773 | 525400ae-089b-870a-fab6-0000000072b0
>>>>>>>>>> | SKIPPED | Create _member_ role | undercloud
>>>>>>>>>> 2022-07-13 21:35:38.691172 | 525400ae-089b-870a-fab6-0000000072b0
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create _member_ role |
>>>>>>>>>> undercloud | 0:11:37.783369 | 0.04s
>>>>>>>>>> 2022-07-13 21:35:38.706920 | 525400ae-089b-870a-fab6-0000000072b1
>>>>>>>>>> | TASK | Create admin user
>>>>>>>>>> 2022-07-13 21:35:42.051623 | 525400ae-089b-870a-fab6-0000000072b1
>>>>>>>>>> | CHANGED | Create admin user | undercloud
>>>>>>>>>> 2022-07-13 21:35:42.053285 | 525400ae-089b-870a-fab6-0000000072b1
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create admin user | undercloud
>>>>>>>>>> | 0:11:41.145472 | 3.34s
>>>>>>>>>> 2022-07-13 21:35:42.069370 | 525400ae-089b-870a-fab6-0000000072b2
>>>>>>>>>> | TASK | Assign admin role to admin project for admin user
>>>>>>>>>> 2022-07-13 21:35:45.194891 | 525400ae-089b-870a-fab6-0000000072b2
>>>>>>>>>> | OK | Assign admin role to admin project for admin user |
>>>>>>>>>> undercloud
>>>>>>>>>> 2022-07-13 21:35:45.196669 | 525400ae-089b-870a-fab6-0000000072b2
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Assign admin role to admin
>>>>>>>>>> project for admin user | undercloud | 0:11:44.288848 | 3.13s
>>>>>>>>>> 2022-07-13 21:35:45.212674 | 525400ae-089b-870a-fab6-0000000072b3
>>>>>>>>>> | TASK | Assign _member_ role to admin project for admin user
>>>>>>>>>> 2022-07-13 21:35:45.252884 | 525400ae-089b-870a-fab6-0000000072b3
>>>>>>>>>> | SKIPPED | Assign _member_ role to admin project for admin user |
>>>>>>>>>> undercloud
>>>>>>>>>> 2022-07-13 21:35:45.254283 | 525400ae-089b-870a-fab6-0000000072b3
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Assign _member_ role to admin
>>>>>>>>>> project for admin user | undercloud | 0:11:44.346479 | 0.04s
>>>>>>>>>> 2022-07-13 21:35:45.270310 | 525400ae-089b-870a-fab6-0000000072b4
>>>>>>>>>> | TASK | Create identity service
>>>>>>>>>> 2022-07-13 21:35:46.928715 | 525400ae-089b-870a-fab6-0000000072b4
>>>>>>>>>> | OK | Create identity service | undercloud
>>>>>>>>>> 2022-07-13 21:35:46.930167 | 525400ae-089b-870a-fab6-0000000072b4
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create identity service |
>>>>>>>>>> undercloud | 0:11:46.022362 | 1.66s
>>>>>>>>>> 2022-07-13 21:35:46.946797 | 525400ae-089b-870a-fab6-0000000072b5
>>>>>>>>>> | TASK | Create identity public endpoint
>>>>>>>>>> 2022-07-13 21:35:49.139298 | 525400ae-089b-870a-fab6-0000000072b5
>>>>>>>>>> | OK | Create identity public endpoint | undercloud
>>>>>>>>>> 2022-07-13 21:35:49.141158 | 525400ae-089b-870a-fab6-0000000072b5
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create identity public endpoint
>>>>>>>>>> | undercloud | 0:11:48.233349 | 2.19s
>>>>>>>>>> 2022-07-13 21:35:49.157768 | 525400ae-089b-870a-fab6-0000000072b6
>>>>>>>>>> | TASK | Create identity internal endpoint
>>>>>>>>>> 2022-07-13 21:35:51.566826 | 525400ae-089b-870a-fab6-0000000072b6
>>>>>>>>>> | FATAL | Create identity internal endpoint | undercloud |
>>>>>>>>>> error={"changed": false, "extra_data": {"data": null, "details": "The
>>>>>>>>>> request you have made requires authentication.", "response":
>>>>>>>>>> "{\"error\":{\"code\":401,\"message\":\"The request you have made requires
>>>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>>>> services: Client Error for url:
>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000/v3/services, The request
>>>>>>>>>> you have made requires authentication."}
>>>>>>>>>> 2022-07-13 21:35:51.568473 | 525400ae-089b-870a-fab6-0000000072b6
>>>>>>>>>> | TIMING | tripleo_keystone_resources : Create identity internal
>>>>>>>>>> endpoint | undercloud | 0:11:50.660654 | 2.41s
>>>>>>>>>>
>>>>>>>>>> PLAY RECAP
>>>>>>>>>> *********************************************************************
>>>>>>>>>> localhost : ok=1 changed=0 unreachable=0
>>>>>>>>>> failed=0 skipped=2 rescued=0 ignored=0
>>>>>>>>>> overcloud-controller-0 : ok=437 changed=103 unreachable=0
>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>> overcloud-controller-1 : ok=435 changed=101 unreachable=0
>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>> overcloud-controller-2 : ok=432 changed=101 unreachable=0
>>>>>>>>>> failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>> overcloud-novacompute-0 : ok=345 changed=82 unreachable=0
>>>>>>>>>> failed=0 skipped=198 rescued=0 ignored=0
>>>>>>>>>> undercloud : ok=39 changed=7 unreachable=0
>>>>>>>>>> failed=1 skipped=6 rescued=0 ignored=0
>>>>>>>>>>
>>>>>>>>>> Also :
>>>>>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat server.csr.cnf
>>>>>>>>>> [req]
>>>>>>>>>> default_bits = 2048
>>>>>>>>>> prompt = no
>>>>>>>>>> default_md = sha256
>>>>>>>>>> distinguished_name = dn
>>>>>>>>>> [dn]
>>>>>>>>>> C=IN
>>>>>>>>>> ST=UTTAR PRADESH
>>>>>>>>>> L=NOIDA
>>>>>>>>>> O=HSC
>>>>>>>>>> OU=HSC
>>>>>>>>>> emailAddress=demo at demo.com
>>>>>>>>>>
>>>>>>>>>> v3.ext:
>>>>>>>>>> (undercloud) [stack at undercloud oc-cert]$ cat v3.ext
>>>>>>>>>> authorityKeyIdentifier=keyid,issuer
>>>>>>>>>> basicConstraints=CA:FALSE
>>>>>>>>>> keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
>>>>>>>>>> dataEncipherment
>>>>>>>>>> subjectAltName = @alt_names
>>>>>>>>>> [alt_names]
>>>>>>>>>> IP.1=fd00:fd00:fd00:9900::81
>>>>>>>>>>
>>>>>>>>>> Using these files we create other certificates.
>>>>>>>>>> Please check and let me know in case we need anything else.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wed, Jul 13, 2022 at 10:00 PM Vikarna Tathe <
>>>>>>>>>> vikarnatathe at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Lokendra,
>>>>>>>>>>>
>>>>>>>>>>> Are you able to access all the tabs in the OpenStack dashboard
>>>>>>>>>>> without any error? If not, please retry generating the certificate. Also,
>>>>>>>>>>> share the openssl.cnf or server.cnf.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, 13 Jul 2022 at 18:18, Lokendra Rathour <
>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>> Any input on this case raised.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Lokendra
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Jul 12, 2022 at 10:18 PM Lokendra Rathour <
>>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Shephard/Swogat,
>>>>>>>>>>>>> I tried changing the setting as suggested and it looks like it
>>>>>>>>>>>>> has failed at step 4 with error:
>>>>>>>>>>>>>
>>>>>>>>>>>>> :31:32.169420 | 525400ae-089b-fb79-67ac-0000000072ce |
>>>>>>>>>>>>> TIMING | tripleo_keystone_resources : Create identity public endpoint |
>>>>>>>>>>>>> undercloud | 0:24:47.736198 | 2.21s
>>>>>>>>>>>>> 2022-07-12 21:31:32.185594 |
>>>>>>>>>>>>> 525400ae-089b-fb79-67ac-0000000072cf | TASK | Create identity
>>>>>>>>>>>>> internal endpoint
>>>>>>>>>>>>> 2022-07-12 21:31:34.468996 |
>>>>>>>>>>>>> 525400ae-089b-fb79-67ac-0000000072cf | FATAL | Create identity
>>>>>>>>>>>>> internal endpoint | undercloud | error={"changed": false, "extra_data":
>>>>>>>>>>>>> {"data": null, "details": "The request you have made requires
>>>>>>>>>>>>> authentication.", "response": "{\"error\":{\"code\":401,\"message\":\"The
>>>>>>>>>>>>> request you have made requires
>>>>>>>>>>>>> authentication.\",\"title\":\"Unauthorized\"}}\n"}, "msg": "Failed to list
>>>>>>>>>>>>> services: Client Error for url:
>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000/v3/services, The
>>>>>>>>>>>>> request you have made requires authentication."}
>>>>>>>>>>>>> 2022-07-12 21:31:34.470415 | 525400ae-089b-fb79-67ac-000000
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Checking further the endpoint list:
>>>>>>>>>>>>> I see only one endpoint for keystone is gettin created.
>>>>>>>>>>>>>
>>>>>>>>>>>>> DeprecationWarning
>>>>>>>>>>>>>
>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>> | ID | Region | Service Name
>>>>>>>>>>>>> | Service Type | Enabled | Interface | URL
>>>>>>>>>>>>> |
>>>>>>>>>>>>>
>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>> | 4378dc0a4d8847ee87771699fc7b995e | regionOne | keystone
>>>>>>>>>>>>> | identity | True | admin |
>>>>>>>>>>>>> http://30.30.30.173:35357 |
>>>>>>>>>>>>> | 67c829e126944431a06ed0c2b97a295f | regionOne | keystone
>>>>>>>>>>>>> | identity | True | internal |
>>>>>>>>>>>>> http://[fd00:fd00:fd00:2000::326]:5000 |
>>>>>>>>>>>>> | 8a9a3de4993c4ff7903caf95b8ae40fa | regionOne | keystone
>>>>>>>>>>>>> | identity | True | public |
>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::81]:13000 |
>>>>>>>>>>>>>
>>>>>>>>>>>>> +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> it looks like something related to the SSL, we have also
>>>>>>>>>>>>> verified that the GUI login screen shows that Certificates are applied.
>>>>>>>>>>>>> exploring more in logs, meanwhile any suggestions or know
>>>>>>>>>>>>> observation would be of great help.
>>>>>>>>>>>>> thanks again for the support.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>> Lokendra
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sat, Jul 9, 2022 at 11:24 AM Swogat Pradhan <
>>>>>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> I had faced a similar kind of issue, for ip based setup you
>>>>>>>>>>>>>> need to specify the domain name as the ip that you are going to use, this
>>>>>>>>>>>>>> error is showing up because the ssl is ip based but the fqdns seems to be
>>>>>>>>>>>>>> undercloud.com or overcloud.example.com.
>>>>>>>>>>>>>> I think for undercloud you can change the undercloud.conf.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> And will it work if we specify clouddomain parameter to the
>>>>>>>>>>>>>> IP address for overcloud? because it seems he has not specified the
>>>>>>>>>>>>>> clouddomain parameter and overcloud.example.com is the
>>>>>>>>>>>>>> default domain for overcloud.example.com.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, 8 Jul 2022, 6:01 pm Swogat Pradhan, <
>>>>>>>>>>>>>> swogatpradhan22 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What is the domain name you have specified in the
>>>>>>>>>>>>>>> undercloud.conf file?
>>>>>>>>>>>>>>> And what is the fqdn name used for the generation of the SSL
>>>>>>>>>>>>>>> cert?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, 8 Jul 2022, 5:38 pm Lokendra Rathour, <
>>>>>>>>>>>>>>> lokendrarathour at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>>>>> We were trying to install overcloud with SSL enabled for
>>>>>>>>>>>>>>>> which the UC is installed, but OC install is getting failed at step 4:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> :nectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000):
>>>>>>>>>>>>>>>> Max retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n", "module_stdout": "",
>>>>>>>>>>>>>>>> "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.606739 |
>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | FATAL | Clean up legacy Cinder
>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | item={'service_name': 'cinderv3',
>>>>>>>>>>>>>>>> 'service_type': 'volume'} | error={"ansible_index_var":
>>>>>>>>>>>>>>>> "cinder_api_service", "ansible_loop_var": "item", "changed": false,
>>>>>>>>>>>>>>>> "cinder_api_service": 1, "item": {"service_name": "cinderv3",
>>>>>>>>>>>>>>>> "service_type": "volume"}, "module_stderr": "Failed to discover available
>>>>>>>>>>>>>>>> identity versions when contacting
>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000. Attempting to
>>>>>>>>>>>>>>>> parse version from URL.\nTraceback (most recent call last):\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 600,
>>>>>>>>>>>>>>>> in urlopen\n chunked=chunked)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 343,
>>>>>>>>>>>>>>>> in _make_request\n self._validate_conn(conn)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 839,
>>>>>>>>>>>>>>>> in _validate_conn\n conn.connect()\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 378, in
>>>>>>>>>>>>>>>> connect\n _match_hostname(cert, self.assert_hostname or
>>>>>>>>>>>>>>>> server_hostname)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connection.py\", line 388, in
>>>>>>>>>>>>>>>> _match_hostname\n match_hostname(cert, asserted_hostname)\n File
>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/ssl.py\", line 291, in match_hostname\n %
>>>>>>>>>>>>>>>> (hostname, dnsnames[0]))\nssl.CertificateError: hostname
>>>>>>>>>>>>>>>> 'fd00:fd00:fd00:9900::2ef' doesn't match 'undercloud.com'\n\nDuring
>>>>>>>>>>>>>>>> handling of the above exception, another exception occurred:\n\nTraceback
>>>>>>>>>>>>>>>> (most recent call last):\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 449, in
>>>>>>>>>>>>>>>> send\n timeout=timeout\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/connectionpool.py\", line 638,
>>>>>>>>>>>>>>>> in urlopen\n _stacktrace=sys.exc_info()[2])\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/urllib3/util/retry.py\", line 399, in
>>>>>>>>>>>>>>>> increment\n raise MaxRetryError(_pool, url, error or
>>>>>>>>>>>>>>>> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>> last):\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1022,
>>>>>>>>>>>>>>>> in _send_request\n resp = self.session.request(method, url, **kwargs)\n
>>>>>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533,
>>>>>>>>>>>>>>>> in request\n resp = self.send(prep, **send_kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in
>>>>>>>>>>>>>>>> send\n r = adapter.send(request, **kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 514, in
>>>>>>>>>>>>>>>> send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError:
>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>> last):\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>> line 138, in _do_create_plugin\n authenticated=False)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>> 610, in get_discovery\n authenticated=authenticated)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1452,
>>>>>>>>>>>>>>>> in get_discovery\n disc = Discover(session, url,
>>>>>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 536,
>>>>>>>>>>>>>>>> in __init__\n authenticated=authenticated)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 102,
>>>>>>>>>>>>>>>> in get_version_data\n resp = session.get(url, headers=headers,
>>>>>>>>>>>>>>>> authenticated=authenticated)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1141,
>>>>>>>>>>>>>>>> in get\n return self.request(url, 'GET', **kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 931, in
>>>>>>>>>>>>>>>> request\n resp = send(**kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1026,
>>>>>>>>>>>>>>>> in _send_request\n raise
>>>>>>>>>>>>>>>> exceptions.SSLError(msg)\nkeystoneauth1.exceptions.connection.SSLError: SSL
>>>>>>>>>>>>>>>> exception connecting to
>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>> match 'undercloud.com'\",),))\n\nDuring handling of the
>>>>>>>>>>>>>>>> above exception, another exception occurred:\n\nTraceback (most recent call
>>>>>>>>>>>>>>>> last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line
>>>>>>>>>>>>>>>> 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n
>>>>>>>>>>>>>>>> File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n
>>>>>>>>>>>>>>>> return _run_module_code(code, init_globals, run_name, mod_spec)\n File
>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n
>>>>>>>>>>>>>>>> mod_name, mod_spec, pkg_name, script_name)\n File
>>>>>>>>>>>>>>>> \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code,
>>>>>>>>>>>>>>>> run_globals)\n File
>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>> line 185, in <module>\n File
>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>> line 181, in main\n File
>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/module_utils/openstack.py\",
>>>>>>>>>>>>>>>> line 407, in __call__\n File
>>>>>>>>>>>>>>>> \"/tmp/ansible_openstack.cloud.catalog_service_payload_7ikyjf7t/ansible_openstack.cloud.catalog_service_payload.zip/ansible_collections/openstack/cloud/plugins/modules/catalog_service.py\",
>>>>>>>>>>>>>>>> line 141, in run\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>>>>>> 517, in search_services\n services = self.list_services()\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line
>>>>>>>>>>>>>>>> 492, in list_services\n if self._is_client_version('identity', 2):\n
>>>>>>>>>>>>>>>> File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>>>>>> line 460, in _is_client_version\n client = getattr(self, client_name)\n
>>>>>>>>>>>>>>>> File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\",
>>>>>>>>>>>>>>>> line 32, in _identity_client\n 'identity', min_version=2,
>>>>>>>>>>>>>>>> max_version='3.latest')\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\",
>>>>>>>>>>>>>>>> line 407, in _get_versioned_client\n if adapter.get_endpoint():\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 291, in
>>>>>>>>>>>>>>>> get_endpoint\n return self.session.get_endpoint(auth or self.auth,
>>>>>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1243,
>>>>>>>>>>>>>>>> in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>> 380, in get_endpoint\n allow_version_hack=allow_version_hack,
>>>>>>>>>>>>>>>> **kwargs)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>> 271, in get_endpoint_data\n service_catalog =
>>>>>>>>>>>>>>>> self.get_access(session).service_catalog\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line
>>>>>>>>>>>>>>>> 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>> line 206, in get_auth_ref\n self._plugin =
>>>>>>>>>>>>>>>> self._do_create_plugin(session)\n File
>>>>>>>>>>>>>>>> \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\",
>>>>>>>>>>>>>>>> line 161, in _do_create_plugin\n 'auth_url is correct.
>>>>>>>>>>>>>>>> %s' % e)\nkeystoneauth1.exceptions.discovery.DiscoveryFailure: Could not
>>>>>>>>>>>>>>>> find versioned identity endpoints when attempting to authenticate. Please
>>>>>>>>>>>>>>>> check that your auth_url is correct. SSL exception connecting to
>>>>>>>>>>>>>>>> https://[fd00:fd00:fd00:9900::2ef]:13000:
>>>>>>>>>>>>>>>> HTTPSConnectionPool(host='fd00:fd00:fd00:9900::2ef', port=13000): Max
>>>>>>>>>>>>>>>> retries exceeded with url: / (Caused by
>>>>>>>>>>>>>>>> SSLError(CertificateError(\"hostname 'fd00:fd00:fd00:9900::2ef' doesn't
>>>>>>>>>>>>>>>> match 'overcloud.example.com'\",),))\n", "module_stdout":
>>>>>>>>>>>>>>>> "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.609354 |
>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.271914 | 2.47s
>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.611094 |
>>>>>>>>>>>>>>>> 5254009a-6a3c-adb1-f96f-0000000072ac | TIMING | Clean up legacy Cinder
>>>>>>>>>>>>>>>> keystone catalog entries | undercloud | 0:11:01.273659 | 2.47s
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> PLAY RECAP
>>>>>>>>>>>>>>>> *********************************************************************
>>>>>>>>>>>>>>>> localhost : ok=0 changed=0
>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
>>>>>>>>>>>>>>>> overcloud-controller-0 : ok=437 changed=104
>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>> overcloud-controller-1 : ok=436 changed=101
>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>> overcloud-controller-2 : ok=431 changed=101
>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=214 rescued=0 ignored=0
>>>>>>>>>>>>>>>> overcloud-novacompute-0 : ok=345 changed=83
>>>>>>>>>>>>>>>> unreachable=0 failed=0 skipped=198 rescued=0 ignored=0
>>>>>>>>>>>>>>>> undercloud : ok=28 changed=7
>>>>>>>>>>>>>>>> unreachable=0 failed=1 skipped=3 rescued=0 ignored=0
>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.647270 |
>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary Information
>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>>>>>> 2022-07-08 17:03:23.647907 |
>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Total Tasks: 1373
>>>>>>>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> in the deploy.sh:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> openstack overcloud deploy --templates \
>>>>>>>>>>>>>>>> -r /home/stack/templates/roles_data.yaml \
>>>>>>>>>>>>>>>> --networks-file
>>>>>>>>>>>>>>>> /home/stack/templates/custom_network_data.yaml \
>>>>>>>>>>>>>>>> --vip-file /home/stack/templates/custom_vip_data.yaml \
>>>>>>>>>>>>>>>> --baremetal-deployment
>>>>>>>>>>>>>>>> /home/stack/templates/overcloud-baremetal-deploy.yaml \
>>>>>>>>>>>>>>>> --network-config \
>>>>>>>>>>>>>>>> -e /home/stack/templates/environment.yaml \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-conductor.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e /home/stack/templates/ironic-config.yaml \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/external-ceph.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/services/ptp.yaml \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
>>>>>>>>>>>>>>>> \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
>>>>>>>>>>>>>>>> -e
>>>>>>>>>>>>>>>> /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml \
>>>>>>>>>>>>>>>> -e /home/stack/containers-prepare-parameter.yaml
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Addition lines as highlighted in yellow were passed with
>>>>>>>>>>>>>>>> modifications:
>>>>>>>>>>>>>>>> tls-endpoints-public-ip.yaml:
>>>>>>>>>>>>>>>> Passed as is in the defaults.
>>>>>>>>>>>>>>>> enable-tls.yaml:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>> # This file was created automatically by the sample
>>>>>>>>>>>>>>>> environment
>>>>>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to
>>>>>>>>>>>>>>>> update it.
>>>>>>>>>>>>>>>> # Users are recommended to make changes to a copy of the
>>>>>>>>>>>>>>>> file instead
>>>>>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>> # title: Enable SSL on OpenStack Public Endpoints
>>>>>>>>>>>>>>>> # description: |
>>>>>>>>>>>>>>>> # Use this environment to pass in certificates for SSL
>>>>>>>>>>>>>>>> deployments.
>>>>>>>>>>>>>>>> # For these values to take effect, one of the
>>>>>>>>>>>>>>>> tls-endpoints-*.yaml
>>>>>>>>>>>>>>>> # environments must also be used.
>>>>>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>>>>>> # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in
>>>>>>>>>>>>>>>> Horizon
>>>>>>>>>>>>>>>> # Type: boolean
>>>>>>>>>>>>>>>> HorizonSecureCookies: True
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # Specifies the default CA cert to use if TLS is used for
>>>>>>>>>>>>>>>> services in the public network.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> PublicTLSCAFile:
>>>>>>>>>>>>>>>> '/etc/pki/ca-trust/source/anchors/overcloud-cacert.pem'
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The content of the SSL certificate (without Key) in PEM
>>>>>>>>>>>>>>>> format.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> SSLCertificate: |
>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>> # The content of an SSL intermediate CA certificate in
>>>>>>>>>>>>>>>> PEM format.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> SSLIntermediateCertificate: ''
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The content of the SSL Key in PEM format.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> SSLKey: |
>>>>>>>>>>>>>>>> -----BEGIN PRIVATE KEY-----
>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>> -----END PRIVATE KEY-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>>>>>> # Static parameters - these are values that must be
>>>>>>>>>>>>>>>> # included in the environment but should not be changed.
>>>>>>>>>>>>>>>> # ******************************************************
>>>>>>>>>>>>>>>> # The filepath of the certificate as it will be stored in
>>>>>>>>>>>>>>>> the controller.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> DeployedSSLCertificatePath:
>>>>>>>>>>>>>>>> /etc/pki/tls/private/overcloud_endpoint.pem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # *********************
>>>>>>>>>>>>>>>> # End static parameters
>>>>>>>>>>>>>>>> # *********************
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> inject-trust-anchor.yaml
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>> # This file was created automatically by the sample
>>>>>>>>>>>>>>>> environment
>>>>>>>>>>>>>>>> # generator. Developers should use `tox -e genconfig` to
>>>>>>>>>>>>>>>> update it.
>>>>>>>>>>>>>>>> # Users are recommended to make changes to a copy of the
>>>>>>>>>>>>>>>> file instead
>>>>>>>>>>>>>>>> # of the original, if any customizations are needed.
>>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>>> *******************************************************************
>>>>>>>>>>>>>>>> # title: Inject SSL Trust Anchor on Overcloud Nodes
>>>>>>>>>>>>>>>> # description: |
>>>>>>>>>>>>>>>> # When using an SSL certificate signed by a CA that is
>>>>>>>>>>>>>>>> not in the default
>>>>>>>>>>>>>>>> # list of CAs, this environment allows adding a custom CA
>>>>>>>>>>>>>>>> certificate to
>>>>>>>>>>>>>>>> # the overcloud nodes.
>>>>>>>>>>>>>>>> parameter_defaults:
>>>>>>>>>>>>>>>> # The content of a CA's SSL certificate file in PEM
>>>>>>>>>>>>>>>> format. This is evaluated on the client side.
>>>>>>>>>>>>>>>> # Mandatory. This parameter must be set by the user.
>>>>>>>>>>>>>>>> # Type: string
>>>>>>>>>>>>>>>> SSLRootCertificate: |
>>>>>>>>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>>>>>>>>> ----*** CERTICATELINES TRIMMED **
>>>>>>>>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> resource_registry:
>>>>>>>>>>>>>>>> OS::TripleO::NodeTLSCAData:
>>>>>>>>>>>>>>>> ../../puppet/extraconfig/tls/ca-inject.yaml
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The procedure to create such files was followed using:
>>>>>>>>>>>>>>>> Deploying with SSL — TripleO 3.0.0 documentation
>>>>>>>>>>>>>>>> (openstack.org)
>>>>>>>>>>>>>>>> <https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/ssl.html>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Idea is to deploy overcloud with SSL enabled i.e* Self-signed
>>>>>>>>>>>>>>>> IP-based certificate, without DNS. *
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Any idea around this error would be of great help.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> skype: lokendrarathour
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> ~ Lokendra
>>>>>>>>>> skype: lokendrarathour
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> ~ Lokendra
>>>>>>> skype: lokendrarathour
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> ~ Lokendra
>>>>> skype: lokendrarathour
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> ~ Lokendra
>>>> skype: lokendrarathour
>>>>
>>>>
>>>>
>>
>> --
>> ~ Lokendra
>> skype: lokendrarathour
>>
>>
>>
>
> --
> ~ Lokendra
> skype: lokendrarathour
>
>
>
>
--
~ Lokendra
skype: lokendrarathour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220728/fdeb6048/attachment-0001.htm>
More information about the openstack-discuss
mailing list