kolla-ansible

kolla-ansible tls on external vip is broken

Bug #1642233 reported by Javier Castillo on 2016-11-16

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Fix Released	High	Unassigned	kolla-ansible queens-2

Bug Description

when deploying with TLS/SELF-SIGNED certificates, tool "init-runonce" fails because it executes glance, nova and neutron without "--insecure" flag, so they report

SSL exception connecting to https://X.X.X.X:9292/v2/images: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

NOTE(pbourke): This seems to be a problem during deploy as Pierre notes below, currently it seems tls on the external vip for Kolla is broken. Bumping to high priority.

See original description

Tags:

Eduardo Gonzalez (egonzalez90) on 2016-11-16

Changed in kolla:
importance:	Undecided → Medium

Jeffrey Zhang (jeffrey4l) on 2016-11-20

affects:	kolla → kolla-ansible
Changed in kolla-ansible:
milestone:	none → ocata-2
status:	New → Confirmed

Jeffrey Zhang (jeffrey4l) on 2016-12-16

Changed in kolla-ansible:
milestone:	ocata-2 → ocata-3

Jeffrey Zhang (jeffrey4l) on 2017-01-29

Changed in kolla-ansible:
milestone:	ocata-3 → ocata-rc1

Revision history for this message

Eduardo Gonzalez (egonzalez90) wrote on 2017-02-02:

This should not be an issue as init-runonce runs against internal api network which is not under SSL. Other issue could be a custom adminrc file pointing to external network or a service not correctly handling the interface to internal.
Could you provide more information of your config and in what step fails?

Jeffrey Zhang (jeffrey4l) on 2017-02-16

Changed in kolla-ansible:
milestone:	ocata-rc1 → ocata-rc2
milestone:	ocata-rc2 → pike-1

Revision history for this message

Eduardo Gonzalez (egonzalez90) wrote on 2017-06-08:

Can you please provide the information previously requested?

Jeffrey Zhang (jeffrey4l) on 2017-06-14

Changed in kolla-ansible:
milestone:	pike-2 → pike-3

Jeffrey Zhang (jeffrey4l) on 2017-07-30

Changed in kolla-ansible:
milestone:	pike-3 → pike-rc1

Eduardo Gonzalez (egonzalez90) on 2017-09-06

Changed in kolla-ansible:
milestone:	pike-rc1 → pike-rc2
milestone:	pike-rc2 → queens-1

Revision history for this message

Pierre Hanselmann (pierre-hanselmann) wrote on 2017-09-28:

I have this when I set 2 VIP (Internal/External) with the following parameters in globals:

kolla_internal_vip_address: "10.56.19.100"
kolla_internal_fqdn: "openstack-int.mydomain.com"
kolla_external_vip_address: "10.56.19.101"
kolla_external_fqdn: "openstack.mydomain.com"
"kolla_enable_tls_external: on"

Prechecks are all good. Then at deploy i got this:
The task "Creating default user role" fail with:
fatal: [localhost]: FAILED! => {"attempts": 10, "changed": false, "failed": true, "msg": "SSL exception connecting to https://openstack.mydomain.com:5000: HTTPSConnectionPool(host='openstack.mydomain.com', port=5000): Max retries exceeded with url: / (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))"}

As you can see it point to the external service. I didn't change/override any parameters from all_vars... I dig into ansible role/stuff... and indeed it should point on the internal... Until now i'm not able to explain how it point to external one... Could you reproduce it?

Revision history for this message

Pierre Hanselmann (pierre-hanselmann) wrote on 2017-09-28:

I'm looking here:
https://git.openstack.org/cgit/openstack/kolla-ansible/tree/ansible/roles/keystone/tasks/register.yml#n10

and indeed it should use openstack_keystone_auth wich is set to the internal one according on what we find in all_vars... but for some reason it goes on the external.

Revision history for this message

Pierre Hanselmann (pierre-hanselmann) wrote on 2017-09-28:

https://git.openstack.org/cgit/openstack/kolla-ansible/tree/ansible/roles/keystone/defaults/main.yml#n76
which should be set in:
https://git.openstack.org/cgit/openstack/kolla-ansible/tree/ansible/group_vars/all.yml#n309

Don't find other assignements to openstack_keystone_auth in ansible... i missed something for now... (var_files: main.yaml is not set for the keystone role in site.yaml... will play around this tomorrow)

Paul Bourke (pauldbourke) on 2017-10-26

Changed in kolla-ansible:
importance:	Medium → High
description:	updated
summary:	- SSL problem: init-runonce + kolla-ansible tls on external vip is broken