kolla

stable/liberty centos-binary-glance image build fails with "Peer's Certificate has expired."

Bug #1547967 reported by Andres Toomsalu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Critical
Unassigned
kolla 1.1.0 "liberty"

Bug Description

When building glance-base image as centos/binary from stable/liberty branch build errors with the following output:

INFO:__main__:glance-base:Public key for librbd1-0.94.5-0.el7.centos.x86_64.rpm is not installed
INFO:__main__:glance-base:--------------------------------------------------------------------------------
INFO:__main__:glance-base:Total 522 kB/s | 43 MB 01:24
INFO:__main__:glance-base:Retrieving key from https://ceph.com/git/?p=ceph.git;a=blob_plain;f=keys/release.asc
INFO:__main__:glance-base:
INFO:__main__:glance-base:GPG key retrieval failed: [Errno 14] curl#60 - "Peer's Certificate has expired."
INFO:__main__:glance-base:
INFO:__main__:glance-base:Removing intermediate container c93be8957813
ERROR:__main__:glance-base:Error'd with the following message
ERROR:__main__:glance-base:The command '/bin/sh -c yum -y install openstack-glance python-oslo-i18n python-castellan python-cryptography python-rbd python-rados && yum clean all && mkdir -p /etc/ceph/' returned a non-zero code: 1

Happends also with other images that try to retrieve ceph key.

Revision history for this message
Andres Toomsalu (andres-active) wrote :

When trying key download form build host:

[root@kolla ~]# curl https://ceph.com/git/?p=ceph.git;a=blob_plain;f=keys/release.asc
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@kolla ~]# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)

Revision history for this message
Andres Toomsalu (andres-active) wrote :

Temporary workaround:

* replacing https with http in docker/base/ceph.yum.repo gpgkey urls
* and rebuilding all images...

Revision history for this message
Steven Dake (sdake) wrote :

It looks to me like ceph's key is expired, but I'm not certain.

Changed in kolla:
status: New → Triaged
importance: Undecided → High
milestone: none → mitaka-3
Revision history for this message
Andres Toomsalu (andres-active) wrote :

git.ceph.com SSL cert seems to be valid until 23. april 2016 2:59.59. It was issued by Comodo - perhaps there is some issue with latest CentOS 7 ca-certificates package so that rpm/curl SSL cert validation fails?

Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-3 → mitaka-rc1
importance: High → Medium
Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-rc1 → mitaka-rc2
Revision history for this message
Steven Dake (sdake) wrote :

I was not able to confirm this issue exists in rc1, so removing from rc2. targeted to liberty 1.1.0.

Changed in kolla:
milestone: mitaka-rc2 → liberty-1.1.0
no longer affects: kolla/liberty
Revision history for this message
Ryan Hallisey (rthall14) wrote :

fixed with https://review.openstack.org/#/c/308390/

Changed in kolla:
status: Triaged → Fix Committed
Steven Dake (sdake)
Changed in kolla:
importance: Medium → Critical
shake.chen (shake-chen)
Changed in kolla:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.