Forcing SSL on Fuel break things
Bug #1526180 reported by
planetrobbie
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Invalid
|
High
|
Stanislaw Bogatkin | ||
7.0.x |
Invalid
|
High
|
MOS Maintenance |
Bug Description
It's documented that it's possible to force Fuel UI to only respond to HTTPS and redirect users that connect to HTTP toward HTTPS.
But if I do what's documented :
# vi /etc/fuel/
to add
SSL:
force_https: true
It breaks nailgun-agent on nodes which gets a Moved answer and so cannot send their heartbeat to Fuel which sees them as OFFLINE. Removing the force line fix things back.
Changed in fuel: | |
milestone: | none → 8.0 |
assignee: | nobody → Fuel Python Team (fuel-python) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in fuel: | |
assignee: | Fuel Python Team (fuel-python) → Stanislaw Bogatkin (sbogatkin) |
tags: | added: area-python |
tags: |
added: area-library team-bugfix removed: area-python |
Changed in fuel: | |
status: | Incomplete → Invalid |
To post a comment you must log in.
Hi planetrobbie,
could you, please, give us some information about your installation ISO? Diagnostic snapshot also would be nice to have. We need this, cause on last fuel ISO I don't have this problem - nailgun-agent don't move from HTTPS to HTTP due that fact it tries HTTPS first. Anyway - if I add
SSL:
force_https: true
to /etc/fuel/ astute. yaml and rebuild nginx container - nailgun-agent contunues work flawlessly, according to logs:
I, [2015-12- 15T12:52: 23.283748 #7205] INFO -- : API URL is https:/ /10.109. 0.2:8443/ api 15T12:52: 33.876358 #7205] ERROR -- : execution expired lib/ruby/ 1.9.1/openssl/ buffering. rb:53:in `sysread'", "/usr/lib/ ruby/1. 9.1/openssl/ buffering. rb:53:in `fill_rbuff'", "/usr/lib/ ruby/1. 9.1/openssl/ buffering. rb:200: in `gets'", "/usr/lib/ ruby/vendor_ ruby/httpclient /session. rb:352: in `gets'", "/usr/lib/ ruby/vendor_ ruby/httpclient /session. rb:879: in `block in parse_header'", "/usr/lib/ ruby/vendor_ ruby/httpclient /session. rb:875: in `parse_header'", "/usr/lib/ ruby/vendor_ ruby/httpclient /session. rb:858: in `read_header'", "/usr/lib/ ruby/vendor_ ruby/httpclient /session. rb:667: in `get_header'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:1137: in `do_get_header'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:1086: in `do_get_block'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:887: in `block in do_request'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:981: in `protect_ keep_alive_ disconnected' ", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:886: in `do_request'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:774: in `request'", "/usr/lib/ ruby/vendor_ ruby/httpclient .rb:689: in `put'", "/usr/bin/ nailgun- agent:199: in `put'", "/usr/bin/ nailgun- agent:776: in `<main>'"] 15T12:53: 07.140213 #12024] INFO -- : API URL is https:/ /10.109. 0.2:8443/ api 15T12:53: 07.852799 #12024] INFO -- : MCollective is up to date with identity = 2 15T12:53: 07.853078 #12024] INFO -- : Wrote data to file '/etc/nailgun_uid'. Data: 2
at depth 0 - 18: self signed certificate
E, [2015-12-
["/usr/
at depth 0 - 18: self signed certificate
I, [2015-12-
at depth 0 - 18: self signed certificate
I, [2015-12-
I, [2015-12-
You can see execution expired in this log - it was time when I added force_ssl, destroyed nginx container and rebuilt it again - API was inaccessible in this period. After container was rebuilt - nailgun-agent continues to work via HTTPS port.