Sometimes, when using SSL in undercloud, undercloud installation fails with following error in undercloud_install.log [1]
2017-08-22 14:34:54 | 2017-08-22 14:34:54,849 INFO: [1;31mError: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/bin/openstack token issue --format value' returned 1: Unable to establish connection to https://192.168.24.2:13000/v3/auth/tokens: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x3f77f90>: Failed to establish a new connection: [Errno 111] Connection refused',)) (tried 34, for a total of 170 seconds)[0m
Digging in logs, i found following error when starting haproxy in messages file [2]:
Aug 22 14:29:16 undercloud systemd: Started HAProxy Load Balancer.
Aug 22 14:29:16 undercloud systemd: Starting HAProxy Load Balancer...
Aug 22 14:29:16 undercloud certmonger: Certificate in file "/etc/pki/tls/certs/undercloud-front.crt" issued by CA and saved.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : parsing [/etc/haproxy/haproxy.cfg:107] : 'bind 192.168.24.2:13050' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/undercloud-192.168.24.2.pem'.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : parsing [/etc/haproxy/haproxy.cfg:123] : 'bind 192.168.24.2:13000' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/undercloud-192.168.24.2.pem'.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : parsing [/etc/haproxy/haproxy.cfg:134] : 'bind 192.168.24.2:13989' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/undercloud-192.168.24.2.pem'.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [WARNING] 233/142916 (1279) : config : missing timeouts for proxy 'rabbitmq'.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: | While not properly invalid, you will certainly encounter various problems
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: | with such a configuration. To fix this, please ensure that all following
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: | timeouts are set to a non-zero value: 'client', 'connect', 'server'.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [WARNING] 233/142916 (1279) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : Proxy 'ironic-inspector': no SSL certificate specified for bind '192.168.24.2:13050' at [/etc/haproxy/haproxy.cfg:107] (use 'crt').
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : Proxy 'keystone_public': no SSL certificate specified for bind '192.168.24.2:13000' at [/etc/haproxy/haproxy.cfg:123] (use 'crt').
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : Proxy 'mistral': no SSL certificate specified for bind '192.168.24.2:13989' at [/etc/haproxy/haproxy.cfg:134] (use 'crt').
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: [ALERT] 233/142916 (1279) : Fatal errors found in configuration.
Aug 22 14:29:16 undercloud haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=1
Aug 22 14:29:16 undercloud systemd: haproxy.service: main process exited, code=exited, status=1/FAILURE
Aug 22 14:29:16 undercloud systemd: Unit haproxy.service entered failed state.
Aug 22 14:29:16 undercloud systemd: haproxy.service failed.
Aug 22 14:29:16 undercloud systemd: Unit haproxy.service cannot be reloaded because it is inactive.
This issue is intermitent, so my guess is that it may be some kind of race condition between certificates creation and haproxy restart.
[1] https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-master-current-tripleo-delorean-minimal-256/undercloud/home/stack/undercloud_install.log.gz
[2] https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-master-current-tripleo-delorean-minimal-256/undercloud/var/log/messages.gz
Fix proposed to branch: master /review. openstack. org/496501
Review: https:/