tripleo

openstack commands on the undercloud fail with (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Bug #1788257 reported by Alex Schultz on 2018-08-21

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Juan Antonio Osorio Robles	tripleo stein-3

Bug Description

After installing an undercloud on fedora28 and trying to

(undercloud) [stack@node ~]$ openstack endpoint list
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000/: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

I traced this back to the cm-local-ca.pem file being too restricted.

(undercloud) [stack@undercloud ~]$ ls -al /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
-rw-------. 1 root root 1577 Aug 21 17:46 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

Workaround:
sudo chmod a+r /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

Tags:

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Emilien Macchi (emilienm) on 2019-01-13

Changed in tripleo:
milestone:	stein-2 → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-16: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/631210

Changed in tripleo:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-17: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/631210
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5d6201f9fc97c525913e1aded8edd85de60ab528
Submitter: Zuul
Branch: master

commit 5d6201f9fc97c525913e1aded8edd85de60ab528
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

Explicitly set certmonger's CA cert's permissions

    We were relying on the default permissions that were being set by the
    command that extracts the certificate into a PEM file. This wasn't the
    right approach, as it could be too restrictive in some setups.

Here, we explicitly tell puppet to set the appropriate permissions
instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
Closes-bug: #1788257

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-17: Fix proposed to puppet-tripleo (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/631512

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-17: Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/631513

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-18: Fix merged to puppet-tripleo (stable/rocky)

Reviewed: https://review.openstack.org/631512
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=035c834e029cf317ac9bf14011faa7aac28b4a39
Submitter: Zuul
Branch: stable/rocky

commit 035c834e029cf317ac9bf14011faa7aac28b4a39
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

Explicitly set certmonger's CA cert's permissions

Here, we explicitly tell puppet to set the appropriate permissions
instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

    Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
    Closes-bug: #1788257
    (cherry picked from commit 5d6201f9fc97c525913e1aded8edd85de60ab528)

tags:	added: in-stable-rocky
tags:	added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-18: Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/631513
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=dd92d595daabc7d284b3a131cd1ebfe97985120d
Submitter: Zuul
Branch: stable/queens

commit dd92d595daabc7d284b3a131cd1ebfe97985120d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

Explicitly set certmonger's CA cert's permissions

Here, we explicitly tell puppet to set the appropriate permissions
instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

    Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
    Closes-bug: #1788257
    (cherry picked from commit 5d6201f9fc97c525913e1aded8edd85de60ab528)