API endpoint SSL does not match the VIP address API unusable

Bug #1758016 reported by Miguel Angel Ajo
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tripleo
Expired
Wishlist
Unassigned

Bug Description

After a simple deployment with:

bash ./quickstart.sh --teardown all --release master-tripleo-ci --nodes config/nodes/3ctlr_1comp.yml --config config/general_config/pacemaker.yml 127.0.0.2

Later in the undercloud I prepare the containers, and then do the deploy.

I end up in:

$ source overcloudrc

$ openstack server list --all
Certificate did not match expected hostname: 10.0.0.8. Certificate: {'subjectAltName': [('IP Address', '10.0.0.5')], 'subject': ((('commonName', u'10.0.0.5'),),)}
Failed to discover available identity versions when contacting https://10.0.0.8:13000//v3. Attempting to parse version from URL.
Could not determine a suitable URL for the plugin

Revision history for this message
Miguel Angel Ajo (mangelajo) wrote :

(overcloud) [stack@undercloud ~]$ cat overcloud_create_ssl_cert.log
2018-03-21 14:25:05 | + openssl genrsa 2048
2018-03-21 14:25:05 | + openssl req -new -x509 -key /home/stack/overcloud-ca-privkey.pem -out /home/stack/overcloud-cacert.pem -days 365 -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud'
2018-03-21 14:25:05 | + sudo cp /home/stack/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
2018-03-21 14:25:05 | + sudo update-ca-trust extract
2018-03-21 14:25:06 | + openssl req -newkey rsa:2048 -days 365 -nodes -keyout /home/stack/server-key.pem -out /home/stack/server-req.pem -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=10.0.0.5' -reqexts subjectAltName -config /dev/fd/63
2018-03-21 14:25:06 | ++ printf '[subjectAltName]\nsubjectAltName=IP:10.0.0.5\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]'
2018-03-21 14:25:06 | Generating a 2048 bit RSA private key
2018-03-21 14:25:06 | ...........+++
2018-03-21 14:25:06 | ..............+++
2018-03-21 14:25:06 | writing new private key to '/home/stack/server-key.pem'
2018-03-21 14:25:06 | -----
2018-03-21 14:25:06 | + openssl rsa -in /home/stack/server-key.pem -out /home/stack/server-key.pem
2018-03-21 14:25:06 | writing RSA key
2018-03-21 14:25:06 | + openssl x509 -req -in server-req.pem -days 365 -CA /home/stack/overcloud-cacert.pem -CAkey /home/stack/overcloud-ca-privkey.pem -set_serial 01 -out /home/stack/server-cert.pem -extensions subjectAltName -extfile /dev/fd/63
2018-03-21 14:25:06 | ++ printf '[subjectAltName]\nsubjectAltName=IP:10.0.0.5\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]'
2018-03-21 14:25:06 | Signature ok
2018-03-21 14:25:06 | subject=/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=10.0.0.5
2018-03-21 14:25:06 | Getting CA Private Key

The IP of the cert generation doesn't match the IP address of the VIP

no longer affects: tripleo-quickstart
Changed in tripleo:
status: New → Triaged
importance: Undecided → Medium
milestone: none → rocky-1
Changed in tripleo:
milestone: rocky-1 → rocky-2
Changed in tripleo:
milestone: rocky-2 → rocky-3
Changed in tripleo:
importance: Medium → High
Revision history for this message
Daniel Alvarez (dalvarezs) wrote :

A workaround so far that Ajo pointed out:

- Edit overcloud-create-ssl-cert.sh so that it points to the correct VIP
- Execute the above script to generate the necessary certs
- Paste both server-cert.pem and server-key.pem contents into enable-tls.yaml
- Execute overcloud-deploy.sh script again to deploy the new certs

Changed in tripleo:
milestone: rocky-3 → rocky-rc1
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Changed in tripleo:
milestone: stein-1 → stein-2
Changed in tripleo:
milestone: stein-2 → stein-3
Changed in tripleo:
milestone: stein-3 → stein-rc1
Changed in tripleo:
milestone: stein-rc1 → train-1
Changed in tripleo:
milestone: train-1 → train-2
Changed in tripleo:
milestone: train-2 → train-3
Changed in tripleo:
milestone: train-3 → ussuri-1
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
wes hayutin (weshayutin)
Changed in tripleo:
status: Triaged → Incomplete
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Changed in tripleo:
milestone: victoria-1 → victoria-3
Changed in tripleo:
importance: High → Wishlist
Changed in tripleo:
milestone: victoria-3 → wallaby-1
Changed in tripleo:
milestone: wallaby-1 → wallaby-2
Changed in tripleo:
milestone: wallaby-2 → wallaby-3
Revision history for this message
Marios Andreou (marios-b) wrote :

Bug status has been set to 'Incomplete' and target milestone has been removed due to inactivity. If you disagree please re-set these values and reach out to us on freenode #tripleo

Changed in tripleo:
milestone: wallaby-3 → none
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for tripleo because there has been no activity for 60 days.]

Changed in tripleo:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.