[kolla-ansible][Yoga] Install with self-signed certificate

wodel youchi wodel.youchi at gmail.com
Mon Nov 14 10:25:17 UTC 2022 

Hi,

Any ideas?

Regards.


Le sam. 12 nov. 2022 à 09:02, wodel youchi <wodel.youchi at gmail.com> a
écrit :

> Hi
>
> Thanks for your help.
>
> First I want to correct something, the *kolla_verify_tls_backend* was
> positioned to *false* from the beginning, while doing the first
> deployment with the commercial certificate.
>
> And yes I have *kolla_copy_ca_into_containers* positioned to *yes* from
> the beginning. And I can see in the nodes that there is a directory named
> certificates in every module's directory in /etc/kolla
>
> What do you mean by using openssl? Do you mean to execute the command
> inside a container and try to connect to keystone? If yes what is the
> correct command?
>
> It seems like something is missing to tell the client side to ignore the
> certificate validity, something like the --insecure parameter in the
> openstack cli.
>
> Regards.
>
> On Fri, Nov 11, 2022, 21:21 Eugen Block <eblock at nde.ag> wrote:
>
>> Hi,
>>
>> I'm not familiar with kolla, but the docs also mention this option:
>>
>> kolla_copy_ca_into_containers: "yes"
>>
>> As I understand it the CA cert is required within the containers so
>> they can trust the self-signed certs. At least that's how I configure
>> it in a manually deployed openstack cloud. Do you have that option
>> enabled? If it is enabled, did you verify it with openssl tools?
>>
>> Regards,
>> Eugen
>>
>> Zitat von wodel youchi <wodel.youchi at gmail.com>:
>>
>> > Some help please.
>> >
>> > On Tue, Nov 8, 2022, 14:44 wodel youchi <wodel.youchi at gmail.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> To deploy Openstack with a self-signed certificate, the documentation
>> says
>> >> to generate the certificates using kolla-ansible certificates, to
>> configure
>> >> the support of TLS in globals.yml and to deploy.
>> >>
>> >> I am facing a problem, my old certificate has expired, I want to use a
>> >> self-signed certificate.
>> >> I backported my servers to an older date, then generated a self-signed
>> >> certificate using kolla, but the deploy/reconfigure won't work, they
>> say :
>> >>
>> >> self._sslobj.do_handshake()\n  File \"/usr/lib64/python3.6/ssl.py\",
>> line
>> >> 648, in do_handshakeself._sslobj.do_handshake()\nssl.SSLError: [SSL:
>> >> CERTIFICATE_VERIFY_FAILED certificate verify failed
>> >>
>> >> PS : in my globals.yml i have : *kolla_verify_tls_backend: "yes"*
>> >>
>> >> Regards.
>> >>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20221114/6fbf0279/attachment.htm>

More information about the openstack-discuss mailing list