os_keystone_domain role failure: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt

Bug #1880863 reported by Waldemar Znoinski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Unassigned

Bug Description

while trying to deploy osp16.1 with newest puddle
core_puddle: RHOS-16.1-RHEL-8-20200525.n.1
the deployment fails with:

TASK [tripleo-keystone-resources : Create default domain] **********************
Tuesday 26 May 2020 16:39:23 +0000 (0:00:00.259) 0:32:17.474 ***********
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt
fatal: [undercloud]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 114, in <module>\n File \"<stdin>\", line 106, in _ansiballz_main\n File \"<stdin>\", line 49, in invoke_module\n File \"/usr/lib64/python3.6/imp.py\", line 235, in load_module\n return load_source(name, filename, file)\n File \"/usr/lib64/python3.6/imp.py\", line 170, in load_source\n module = _exec(spec, sys.modules[name])\n File \"<frozen importlib._bootstrap>\", line 618, in _exec\n File \"<frozen importlib._bootstrap_external>\", line 678, in exec_module\n File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n File \"/tmp/ansible_os_keystone_domain_payload_zdmleczf/__main__.py\", line 185, in <module>\n File \"/tmp/ansible_os_keystone_domain_payload_zdmleczf/__main__.py\", line 145, in main\n File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line 883, in search_domains\n return self.list_domains(**filters)\n File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line 856, in list_domains\n data = self._identity_client.get(\n File \"/usr/lib/python3.6/site-packages/openstack/cloud/_identity.py\", line 32, in _identity_client\n 'identity', min_version=2, max_version='3.latest')\n File \"/usr/lib/python3.6/site-packages/openstack/cloud/openstackcloud.py\", line 406, in _get_versioned_client\n if adapter.get_endpoint():\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py\", line 282, in get_endpoint\n return self.session.get_endpoint(auth or self.auth, **kwargs)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1200, in get_endpoint\n return auth.get_endpoint(self, **kwargs)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line 380, in get_endpoint\n allow_version_hack=allow_version_hack, **kwargs)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line 271, in get_endpoint_data\n service_catalog = self.get_access(session).service_catalog\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\", line 206, in get_auth_ref\n self._plugin = self._do_create_plugin(session)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py\", line 138, in _do_create_plugin\n authenticated=False)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/identity/base.py\", line 610, in get_discovery\n authenticated=authenticated)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 1442, in get_discovery\n disc = Discover(session, url, authenticated=authenticated)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 526, in __init__\n authenticated=authenticated)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/discover.py\", line 101, in get_version_data\n resp = session.get(url, headers=headers, authenticated=authenticated)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 1098, in get\n return self.request(url, 'GET', **kwargs)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 888, in request\n resp = send(**kwargs)\n File \"/usr/lib/python3.6/site-packages/keystoneauth1/session.py\", line 979, in _send_request\n resp = self.session.request(method, url, **kwargs)\n File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 533, in request\n resp = self.send(prep, **send_kwargs)\n File \"/usr/lib/python3.6/site-packages/requests/sessions.py\", line 646, in send\n r = adapter.send(request, **kwargs)\n File \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 416, in send\n self.cert_verify(conn, request.url, verify, cert)\n File \"/usr/lib/python3.6/site-packages/requests/adapters.py\", line 228, in cert_verify\n \"invalid path: {}\".format(cert_loc))\nOSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

log: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/logs/jenkins-phase2-16.1_director-rhel-8.2-virthost-1cont_1comp-ipv4-geneve-lvm-ssl-21/undercloud-0/home/stack/overcloud_install.log.txt.gz

the previous compose (core_puddle: RHOS-16.1-RHEL-8-20200520.n.0
)didn't have this problem:

TASK [tripleo-keystone-resources : Create default domain] **********************
Wednesday 20 May 2020 19:03:03 +0000 (0:00:00.168) 0:23:47.423 *********
ok: [undercloud] => {"changed": false, "domain": {"description": "The default domain", "enabled": true, "id": "default", "name": "Default"}, "id": "default"}

https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/logs/jenkins-phase2-16.1_director-rhel-8.2-virthost-1cont_1comp-ipv4-geneve-lvm-ssl-17/undercloud-0/home/stack/overcloud_install.log.txt.gz

Version-Release number of selected component (if applicable):

How reproducible:
100%

Steps to Reproduce:
1. deploy osp16.1 with this puddle id
2.
3.

Actual results:

Expected results:

Additional info:
I have a machine showing these symptoms ready to troubleshoot if one needs

raised a bugzilla as well: https://bugzilla.redhat.com/show_bug.cgi?id=1840640

wes hayutin (weshayutin)
Changed in tripleo:
status: New → Triaged
importance: Undecided → Critical
milestone: none → victoria-1
Changed in tripleo:
status: Triaged → Fix Committed
Changed in tripleo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.