[kolla] [senlin] [xena] Self-signed cert errors during Senlin auth

Rob Jefferson techstep at gmail.com
Fri Jan 27 20:36:44 UTC 2023


Folks,

I am deploying OpenStack Xena via Kolla. As part of improving our
orchestration offerings, I am investigating the use of Senlin in our
deployments.

Using `enable_senlin: "yes"`, the containers install as expected. When
I attempt to create an initial profile, I get the following error:

> HttpException: 500: Server Error for url: https://external:8778/v1/profiles,
> Could not find versioned identity endpoints when attempting to authenticate.
> Please check that your auth_url is correct. SSL exception connecting
> to https://internal:35357: HTTPSConnectionPool(host='internal',
> port=35357): Max retries exceeded with url: / (Caused by
> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: self signed certificate in
> certificate chain (_ssl.c:1131)')))

I have tried setting `verify_ssl = False` in senlin.conf, but no dice.

I don't see this issue on the other services for which we're using the
same certificates (e.g., Heat, Keystone, Barbican). Looking in the
containers, I don't see <service>-cert.pem or <service>-key.pem files
for Senlin as I did for other services. Moreover, the authentication
configurations look the same in all relevant respects, between Senlin
and the services that do work.

I'm positively flummoxed about why the certs aren't getting
distributed. When I take a look at the documentation for Kolla TLS [1],
I saw the following:

> Enabling TLS on the backend services secures communication between the
> HAProxy listing on the internal/external VIP and the OpenStack
> services. It also enables secure end-to-end communication between
> OpenStack services that support TLS termination. The OpenStack services
> that support backend TLS termination in Victoria are: Nova, Ironic,
> Neutron, Keystone, Glance, Heat, Placement, Horizon, Barbican, and
> Cinder.

Missing from here is Senlin, and looking at the same document from
subsequent OpenStack releases suggests this hasn't changed. I don't
know if this is a relevant issue to the problem I've been having (to
be fair, I don't see Octavia, which we've also been using, on the list,
even though we also haven't been having issues with Octavia certs).

Is this something that I can fix via configuration, or is this a thing
wherein we need to change how Kolla deploys Senlin, or even adding in
SSL termination to the Senlin service?

Any help on this would be greatly appreciated.

Thanks,

Rob

[1] https://github.com/openstack/kolla-ansible/blob/stable/xena/doc/source/admin/tls.rst#back-end-tls-configuration



More information about the openstack-discuss mailing list