Certificate provided with ssl_ca configuration option not installed in system certificate store
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Glance-Simplestreams-Sync Charm |
Fix Released
|
Undecided
|
Unassigned | ||
charm-octavia-diskimage-retrofit |
Fix Released
|
Low
|
Frode Nordahl |
Bug Description
When deploying a bundle with TLS and adding the charm octavia-
juju run-action --wait octavia-
unit-octavia-
id: dee15cf0-
message: 'Could not find versioned identity endpoints when attempting to authenticate.
Please check that your auth_url is correct. SSL exception connecting to https:/
HTTPSConnec
port=35357): Max retries exceeded with url: / (Caused by SSLError(
handshake: Error([(''SSL routines'', ''tls_process_
verify failed'')],)",),))'
status: failed
timing:
completed: 2019-11-06 08:31:16 +0000 UTC
enqueued: 2019-11-06 08:31:12 +0000 UTC
started: 2019-11-06 08:31:12 +0000 UTC
unit: octavia-
The ssl_ca parameter is configured properly but it does not seem to be anywhere on the deployed unit.
Looking at the charm code https:/
Grepping on that file for the certificate gives no result. That means that the CA certificate that is passed through the config is not in /etc/ssl/
Looking, in the charm itself how this parameters is used gives nothing:
charm pull cs:octavia-
cs:octavia-
➜ /tmp cd octavia-
➜ octavia-
./templates/
./templates/
./templates/
./templates/
./config.yaml: "ssl_ca":
It seems that the ssl_ca config is there but not used at all.
tags: | added: field-medium |
Changed in charm-octavia-diskimage-retrofit: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in charm-octavia-diskimage-retrofit: | |
milestone: | none → 20.05 |
summary: |
- Charm does not use ssl_ca and fails to validate certificate when calling - keystone with HTTPS + Certificate provided with ssl_ca configuration option not installed in + system certificate store |
Changed in charm-octavia-diskimage-retrofit: | |
assignee: | nobody → Frode Nordahl (fnordahl) |
status: | Triaged → In Progress |
Changed in charm-octavia-diskimage-retrofit: | |
status: | Fix Committed → Fix Released |
Subscribed field-medium as it impacts all deployments with Octavia where one wants to generate amphorae automatically and not rely on the test-images.