[kolla-ansible][Yoga] Install with self-signed certificate

wodel youchi wodel.youchi at gmail.com
Sat Nov 12 08:02:16 UTC 2022


Hi

Thanks for your help.

First I want to correct something, the *kolla_verify_tls_backend* was
positioned to *false* from the beginning, while doing the first deployment
with the commercial certificate.

And yes I have *kolla_copy_ca_into_containers* positioned to *yes* from the
beginning. And I can see in the nodes that there is a directory named
certificates in every module's directory in /etc/kolla

What do you mean by using openssl? Do you mean to execute the command
inside a container and try to connect to keystone? If yes what is the
correct command?

It seems like something is missing to tell the client side to ignore the
certificate validity, something like the --insecure parameter in the
openstack cli.

Regards.

On Fri, Nov 11, 2022, 21:21 Eugen Block <eblock at nde.ag> wrote:

> Hi,
>
> I'm not familiar with kolla, but the docs also mention this option:
>
> kolla_copy_ca_into_containers: "yes"
>
> As I understand it the CA cert is required within the containers so
> they can trust the self-signed certs. At least that's how I configure
> it in a manually deployed openstack cloud. Do you have that option
> enabled? If it is enabled, did you verify it with openssl tools?
>
> Regards,
> Eugen
>
> Zitat von wodel youchi <wodel.youchi at gmail.com>:
>
> > Some help please.
> >
> > On Tue, Nov 8, 2022, 14:44 wodel youchi <wodel.youchi at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> To deploy Openstack with a self-signed certificate, the documentation
> says
> >> to generate the certificates using kolla-ansible certificates, to
> configure
> >> the support of TLS in globals.yml and to deploy.
> >>
> >> I am facing a problem, my old certificate has expired, I want to use a
> >> self-signed certificate.
> >> I backported my servers to an older date, then generated a self-signed
> >> certificate using kolla, but the deploy/reconfigure won't work, they
> say :
> >>
> >> self._sslobj.do_handshake()\n  File \"/usr/lib64/python3.6/ssl.py\",
> line
> >> 648, in do_handshakeself._sslobj.do_handshake()\nssl.SSLError: [SSL:
> >> CERTIFICATE_VERIFY_FAILED certificate verify failed
> >>
> >> PS : in my globals.yml i have : *kolla_verify_tls_backend: "yes"*
> >>
> >> Regards.
> >>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20221112/10947f53/attachment.htm>


More information about the openstack-discuss mailing list