Hello,
While trying to deploy a master overcloud with TLS-E, using the new tripleo-ipa ansible thingy, I hit the following error:
<13>Jul 9 06:40:38 puppet-user: (file & line not available)
<13>Jul 9 06:40:38 puppet-user: Warning: /etc/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
<13>Jul 9 06:40:38 puppet-user: (file: /etc/puppet/hiera.yaml)
<13>Jul 9 06:40:38 puppet-user: Warning: Undefined variable '::deploy_config_name';
<13>Jul 9 06:40:38 puppet-user: (file & line not available)
<13>Jul 9 06:40:38 puppet-user: Warning: Undefined variable '::nova::params::vncproxy_service_name'; class nova::params has not been evaluated
<13>Jul 9 06:40:38 puppet-user: (file & line not available)
<13>Jul 9 06:40:38 puppet-user: Warning: Unknown variable: '::deployment_type'. (file: /etc/puppet/modules/tripleo/manifests/profile/base/database/mysql/client.pp, line: 89, column: 8)
<13>Jul 9 06:40:38 puppet-user: error: Could not connect to cluster (is it running?)
<13>Jul 9 06:40:39 puppet-user: Notice: Compiled catalog for oc-0-ctl-0.mydomain.tld in environment production in 1.54 seconds
<13>Jul 9 06:40:39 puppet-user: Notice: /Stage[main]/Main/Package_manifest[/var/lib/tripleo/installed-packages/overcloud_Controller1]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Apache_dirs/File[/etc/pki/tls/certs/httpd]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Apache_dirs/File[/etc/pki/tls/private/httpd]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Libvirt_vnc_dirs/File[/etc/pki/libvirt-vnc]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Haproxy_dirs/File[/etc/pki/tls/certs/haproxy]/ensure: created
<13>Jul 9 06:40:40 puppet-user:
Notice: /Stage[main]/Tripleo::Certmonger::Haproxy_dirs/File[/etc/pki/tls/private/haproxy]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Rabbitmq/File[/usr/bin/certmonger-rabbitmq-refresh.sh]/ensure: defined content as '{md5}9228c38b6f9fdaf73919c2802cb062af'
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/File[/usr/bin/certmonger-novnc-proxy-refresh.sh]/ensure: defined content as '{md5}0abda7696e15def437a4169f35377be8'
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/File[/etc/my.cnf.d/tripleo.cnf]/ensure: created
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/Augeas[tripleo-mysql-client-conf]/returns: executed successfully
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/File_line[pcsd_bind_addr]/ensure: created
<13>Jul 906:40:40 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: changed [redacted] to [redacted]
<13>Jul 9 06:40:40 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/User[hacluster]/groups: groups changed to ['haclient']
<13>Jul 9 06:40:43 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pcsd]/ensure: ensure changed 'stopped' to 'running'
<13>Jul 9 06:40:44 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/Exec[check-for-local-authentication]/returns: executed successfully
<13>Jul 9 06:40:45 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/Exec[reauthenticate-across-all-nodes]: Triggered 'refresh' from 3 events
<13>Jul 9 06:40:48 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/Exec[Create Cluster tripleo_cluster]/returns: executed successfully
<13>Jul 9 06:40:50 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/Exec[Start Cluster tripleo_cluster]/returns: executed successfully
<13>Jul 9 06:40:50 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[corosync]/enable: enable changed 'false' to 'true'
<13>Jul 9 06:40:51 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pacemaker]/enable: enable changed 'false' to 'true'
<13>Jul 9 06:41:13 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/Exec[wait-for-settle]/returns: executed successfully
<13>Jul 9 06:41:13 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/File[/etc/pki/ca-trust/source/anchors/undercloud-ca.pem]/ensure: defined content as '{md5}f949572e3b1a6e342d112737b08382cb'
<13>Jul 9 06:41:13 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/Exec[trust-ca-undercloud-ca]: Triggered 'refresh' from 1 event
<13>Jul 9 06:41:13 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Haproxy[haproxy-ctlplane]/File[/usr/bin/certmonger-haproxy-refresh.sh]/ensure: defined content as '{md5}b1dae1387c0941dd9d18d05f011ef371'
<13>Jul 9 06:41:14 puppet-user: Notice: /Stage[main]/Certmonger/Service[certmonger]/enable: enable changed 'false' to 'true'
<13>Jul 9 06:41:14 puppet-user: Notice: /Stage[main]/Certmonger/Service[certmonger]: Triggered 'refresh' from 3 events
<13>Jul 9 06:41:14 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Mysql/Certmonger_certificate[mysql]/ensure: created
<13>Jul 9 06:41:15 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I mysql -f /etc/pki/tls/certs/mysql.crt -c IPA -N CN=oc-0-ctl-0.internalapi.mydomain.tld -K mysql/oc-0-ctl-0.internalapi.m
ydomain.tld -D overcloud.internalapi.mydomain.tld -D oc-0-ctl-0.internalapi.mydomain.tld -w -k /etc/pki/tls/private/mysql.key' returned 3: New signing request \"mysql\" added.
<13>Jul 9 06:41:15 puppet-user: Error: /Stage[main]/Tripleo::Certmonger::Mysql/Certmonger_certificate[mysql]: Could not evaluate: Could not get certificate: Server at https://lab-nat-vm.mydomain.tld/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'oc-0-ctl-0.internalapi.mydomain.tld' does not exist to add a service to.).
<13>Jul 9 06:41:15 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Rabbitmq/Certmonger_certificate[rabbitmq]/ensure: created
<13>Jul 9 06:41:15 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I rabbitmq -f /etc/pki/tls/certs/rabbitmq.crt -c IPA -N CN=oc-0-ctl-0.internalapi.mydomain.tld -K rabbitmq/oc-0-ctl-0.internalapi.mydomain.tld -D oc-0-ctl-0.internalapi.mydomain.tld -C /usr/bin/certmonger-rabbitmq-refresh.sh -w -k /etc/pki/tls/private/rabbitmq.key' returned 3: New signing request \"rabbitmq\" added.
<13>Jul 9 06:41:15 puppet-user: Error: /Stage[main]/Tripleo::Certmonger::Rabbitmq/Certmonger_certificate
[rabbitmq]: Could not evaluate: Could not get certificate: Server at https://lab-nat-vm.mydomain.tld/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'oc-0-ctl-0.internalapi.mydomain.tld' does not exist to add a se
rvice to.).
<13>Jul 9 06:41:15 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Rabbitmq/File[/etc/pki/tls/certs/rabbitmq.crt]: Dependency Certmonger_certificate[rabbitmq] has failures: true
<13>Jul 9 06:41:15 puppet-user: Warning: /Stage[main]/Tripleo::Certmonger::Rabbitmq/File[/etc/pki/tls/certs/rabbitmq.crt]: Skipping because of failed dependencies
<13>Jul 9 06:41:15 puppet-user: Warning: /Stage[main]/Tripleo::Certmonger::Rabbitmq/File[/etc/pki/tls/private/ra
bbitmq.key]: Skipping because of failed dependencies
<13>Jul 9 06:41:15 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/Certmonger_certificate[novnc-proxy]/ensure: created
<13>Jul 9 06:41:15 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I novnc-proxy -f /etc/pki/tls/certs/novnc_proxy.crt -c IPA -N CN=oc-0-ctl-0.internalapi.mydomain.tld -K novnc-proxy/oc-0-ctl-0.internalapi.mydomain.tld -D oc-0-ctl-0.internalapi.mydomain.tld -w -k /etc/pki/tls/private/novnc_proxy.key' returned 3: New signing request \"novnc-proxy\" added.
<13>Jul 9 06:41:15 puppet-user: Error: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/Certmonger_certificate[novnc-proxy]: Could not evaluate: Could not get certificate: Server at https://lab-nat-vm.mydomain.tld/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'oc-0-ctl-0.internalapi.mydomain.tld' does not exist to add a service to.).
<13>Jul 9 06:41:15 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/File[/etc/pki/tls/certs/novnc_proxy.crt]: Dependency Certmonger_certificate[novnc-proxy] has failures: true
<13>Jul 9 06:41:15 puppet-user: Warning: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/File[/etc/pki/tls/certs/novnc_proxy.crt]: Skipping because of failed dependencies
<13>Jul 9 06:41:15 puppet-user: Warning: /Stage[main]/Tripleo::Certmonger::Novnc_proxy/File[/etc/pki/tls/private/novnc_proxy.key]: Skipping because of failed dependencies
<13>Jul 9 06:41:15 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Ovn_dbs/Certmonger_certificate[ovn_dbs]/ensure: created
<13>Jul 9 06:41:16 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I ovn_dbs -f /etc/pki/tls/certs/ovn_dbs.crt -c IPA -N CN=oc-0-ctl-0.internalapi.mydomain.tld -K ovn_dbs/oc-0-ctl-0.internalapi.mydomain.tld -D oc-0-ctl-0.internalapi.mydomain.tld -w -k /etc/pki/tls/private/ovn_dbs.key' returned 3: New signing request \"ovn_dbs\" added.
<13>Jul 9 06:41:16 puppet-user: Error: /Stage[main]/Tripleo::Certmonger::Ovn_dbs/Certmonger_certificate[ovn_dbs]: Could not evaluate: Could not get certificate: Server at https://lab-nat-vm.mydomain.tld/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'oc-0-ctl-0.internalapi.mydomain.tld' does not exist to add a service to.).
<13>Jul 9 06:41:16 puppet-user: Notice: /Stage[main]/Tripleo::Certmonger::Ovn_dbs/File[/etc/pki/tls/certs/ovn_dbs.crt]: Dependency Certmonger_certificate[ovn_dbs] has failures: true
When checking the IPA content, I indeed don't see the host used to get the certificate:
[CentOS-8.2 - stack@undercloud ~]$ sudo ipa host-find
---------------
5 hosts matched
---------------
Host name: lab-nat-vm.mydomain.tld
Principal name: <email address hidden>
Principal alias: <email address hidden>
SSH public key fingerprint: SHA256:MQLCxozGf0OkGhEvdyq0lI3yDrEgfcvYchcK6i81KBY (ssh-ed25519), SHA256:fOlibTW4MAGLn33NXg4Aer8r4BXlHkChLTPGYvWs9YY (ecdsa-sha2-nistp256), SHA256:+haFyWKGWYGnKfPhrk+RkSIP2Yne1m461ZJalVWtpNA (ssh-rsa)
Host name: oc-0-ctl-0.ctlplane.mydomain.tld
Principal name: <email address hidden>
Principal alias: <email address hidden>
Host name: oc-0-ctl-0.mydomain.tld
Principal name: <email address hidden>
Principal alias: <email address hidden>
SSH public key fingerprint: SHA256:YpZL1iuwZ1DRXouxot8lGTeKodkQDnQuQw2b9NO3khU (ecdsa-sha2-nistp256), SHA256:JuGjnt5phB3SjYLHL0LvdFDuy7NlFa7uq2PzEDMy7TE (ssh-ed25519), SHA256:PXwgn/suCMzema1kk2z2U04vQex9Iv8KoQYANk8dhnQ (ssh-rsa)
Host name: overcloud.ctlplane.mydomain.tld
Principal name: <email address hidden>
Principal alias: <email address hidden>
Host name: undercloud.mydomain.tld
Principal name: <email address hidden>
Principal alias: <email address hidden>
SSH public key fingerprint: SHA256:UdMwT6gdiC2ZwN3cKlw+O9YcnhcaGCixk5cy1SO5phg (ssh-ed25519), SHA256:7VxkzcOa7GC98DCmirsP3v7POtvAWOkI+z6qehyerkY (ecdsa-sha2-nistp256), SHA256:4gh6K2xfB/2V0ZZq2TxLIuWeC1IJdtX04HSqexdqIvw (ssh-rsa)
----------------------------
Number of entries returned 5
----------------------------
My guess is, we're missing at some point the creation of the hosts for all the subnets, leading to this error.
Cheers,
C.
Please also attach the contents of service_ metadata_ settings ansible group var and the output of ipa service-find
That should provide us with more info.
/ Greg