This issue has been faced when deploying designate charm from openstack-charmers-next repository in the HA mode on Ubuntu Trusty with SSL charm options enabled. For some reason apache2 is not installed an the certificate / key files for the VIP are not being created:
root@juju-64cbea-22-lxd-26:~# service apache2 status
apache2: unrecognized service
root@juju-64cbea-22-lxd-26:~# ls -l /etc/apache2/ssl/designate/
total 8
-r--r--r-- 1 root root 1176 Sep 25 11:00 cert_100.86.0.185
-r--r--r-- 1 root root 1679 Sep 25 11:00 key_100.86.0.185
This can be worked around by executing the following commands:
$ apt -y install apache2
$ a2ensite openstack_https_frontend.conf
$ a2enmod ssl
$ a2enmod proxy
$ cp /etc/apache2/ssl/designate/cert_100.86.0.* /etc/apache2/ssl/designate/cert_100.86.0.12
$ cp /etc/apache2/ssl/designate/key_100.86.0.* /etc/apache2/ssl/designate/key_100.86.0.12
$ service apache2 start
Designate charm is configured as follows:
application: designate
charm: designate
settings:
debug:
description: Enable debug logging
type: boolean
value: true
dns-slaves:
default: true
description: |
List of DNS slaves which will accept addzone/delzone rndc commands from
Designate. List is of the form slave_ip:rndc_port:rndc_key. This should
only be used if DNS servers are outside of Juju control. Using the
designate-bind charm is the prefered approach.
type: string
enable-host-header:
description: Enables host request headers.
type: boolean
value: true
haproxy-client-timeout:
default: true
description: |
Client timeout configuration in ms for haproxy, used in HA
configurations.
type: int
value: 30000
haproxy-connect-timeout:
default: true
description: |
Connect timeout configuration in ms for haproxy, used in HA
configurations.
type: int
value: 5000
haproxy-queue-timeout:
default: true
description: |
Queue timeout configuration in ms for haproxy, used in HA
configurations.
type: int
value: 5000
haproxy-server-timeout:
default: true
description: |
Server timeout configuration in ms for haproxy, used in HA
configurations.
type: int
value: 30000
nameservers:
description: |
Space delimited list of nameservers. These are the nameservers that have
been provided to the domain registrar in order to delegate the domain to
Designate. e.g. "ns1.example.com. ns2.example.com."
type: string
value: <list of nameservers>
neutron-domain:
default: true
description: Domain to add floating IP records to.
type: string
neutron-domain-email:
default: true
description: Email address of the person responsible for the domain.
type: string
neutron-record-format:
default: true
description: Format of floating IP global records.
type: string
value: '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(zone)s'
nova-domain:
default: true
description: Domain to add records for new instances to
type: string
nova-domain-email:
default: true
description: Email address of the person responsible for the domain.
type: string
nova-record-format:
default: true
description: Format of floating IP global records.
type: string
value: '%(hostname)s.%(tenant_id)s.%(zone)s'
openstack-origin:
description: |
Repository from which to install OpenStack.
May be one of the following:
distro (default)
ppa:somecustom/ppa (PPA name must include OpenStack Release)
deb url sources entry|key id
or a supported Ubuntu Cloud Archive pocket.
Supported Ubuntu Cloud Archive pockets include:
cloud:trusty-liberty
cloud:trusty-juno
cloud:trusty-kilo
cloud:trusty-liberty
cloud:trusty-mitaka
Note that updating this setting to a source that is known to
provide a later version of OpenStack will trigger a software
upgrade.
type: string
value: cloud:trusty-mitaka
os-admin-hostname:
default: true
description: |
The hostname or address of the admin endpoints created in the keystone
identity provider.
.
This value will be used for admin endpoints. For example, an
os-admin-hostname set to 'api-admin.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-admin.example.com:9696/
type: string
os-admin-network:
default: true
description: |
The IP address and netmask of the OpenStack Admin network (e.g.,
192.168.0.0/24)
.
This network will be used for admin endpoints.
type: string
os-internal-hostname:
default: true
description: |
The hostname or address of the internal endpoints created in the keystone
identity provider.
.
This value will be used for internal endpoints. For example, an
os-internal-hostname set to 'api-internal.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-internal.example.com:9696/
type: string
os-internal-network:
default: true
description: |
The IP address and netmask of the OpenStack Internal network (e.g.,
192.168.0.0/24)
.
This network will be used for internal endpoints.
type: string
os-public-hostname:
default: true
description: |
The hostname or address of the public endpoints created in the keystone
identity provider.
.
This value will be used for public endpoints. For example, an
os-public-hostname set to 'api-public.example.com' with ssl enabled
will create the following endpoint for neutron-api:
.
https://api-public.example.com:9696/
type: string
os-public-network:
default: true
description: |
The IP address and netmask of the OpenStack Public network (e.g.,
192.168.0.0/24)
.
This network will be used for public endpoints.
type: string
region:
default: true
description: OpenStack Region
type: string
value: RegionOne
ssl_ca:
description: |
SSL CA to use with the certificate and key provided - this is only
required if you are providing a privately signed ssl_cert and ssl_key.
type: string
value: |-
<CA certificate>
ssl_cert:
description: |
SSL certificate to install and use for API ports. Setting this value
and ssl_key will enable reverse proxying, point Glance's entry in the
Keystone catalog to use https, and override any certficiate and key
issued by Keystone (if it is configured to do so).
type: string
value: |-
<Designate certificate>
ssl_key:
description: |
SSL key to use with certificate specified as ssl_cert.
type: string
value: |-
<Designate certificate key>
use-internal-endpoints:
default: true
description: |
Openstack mostly defaults to using public endpoints for
internal communication between services. If set to True this option
will configure services to use internal endpoints where possible.
type: boolean
value: false
use-syslog:
description: |
Setting this to True will allow supporting services to log to syslog.
type: boolean
value: true
verbose:
description: Enable verbose logging
type: boolean
value: true
vip:
description: |
Virtual IP(s) to use to front API services in HA configuration.
If multiple networks are being used, a VIP should be provided for each
network, separated by spaces.
type: string
value: 100.86.0.12
vip_cidr:
default: true
description: |
Default CIDR netmask to use for HA vip when it cannot be automatically
determined.
type: int
value: 24
vip_iface:
default: true
description: |
Default network interface to use for HA vip when it cannot be
automatically determined.
type: string
value: eth0
worker-multiplier:
default: true
description: |
The CPU core multiplier to use when configuring worker processes. By
default, the number of workers for each daemon is set to twice the number
of CPU cores a service unit has. When deployed in a LXD container, this
default value will be capped to 4 workers unless this configuration
option is set.
type: float
Attached are the logs from all 3 units.
FWIW, I'm not 100% sure, but this might have a connection with:
https:/
since both are reactive OpenStack charms.