ssl-ca is not being installed as a system cert

Bug #1895620 reported by Vern Hart
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Cell Controller Charm
Undecided
Unassigned

Bug Description

When ssl_ca is supplied and the keystone endpoint is ssl enabled, we're getting a connection error in the nova-conductor.log:

2020-09-14 23:53:32.512 14614 CRITICAL nova [-] Unhandled error: keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin: An auth plugin is required to determine endpoint URL
2020-09-14 23:53:32.512 14614 ERROR nova Traceback (most recent call last):
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/bin/nova-conductor", line 10, in <module>
2020-09-14 23:53:32.512 14614 ERROR nova sys.exit(main())
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/cmd/conductor.py", line 44, in main
2020-09-14 23:53:32.512 14614 ERROR nova topic=rpcapi.RPC_TOPIC)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/service.py", line 271, in create
2020-09-14 23:53:32.512 14614 ERROR nova periodic_interval_max=periodic_interval_max)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/service.py", line 129, in __init__
2020-09-14 23:53:32.512 14614 ERROR nova self.manager = manager_class(host=self.host, *args, **kwargs)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/conductor/manager.py", line 117, in __init__
2020-09-14 23:53:32.512 14614 ERROR nova self.compute_task_mgr = ComputeTaskManager()
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/conductor/manager.py", line 243, in __init__
2020-09-14 23:53:32.512 14614 ERROR nova self.report_client = report.SchedulerReportClient()
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/scheduler/client/report.py", line 186, in __init__
2020-09-14 23:53:32.512 14614 ERROR nova self._client = self._create_client()
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/scheduler/client/report.py", line 229, in _create_client
2020-09-14 23:53:32.512 14614 ERROR nova client = self._adapter or utils.get_sdk_adapter('placement')
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/nova/utils.py", line 1039, in get_sdk_adapter
2020-09-14 23:53:32.512 14614 ERROR nova return getattr(conn, service_type)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/openstack/service_description.py", line 92, in __get__
2020-09-14 23:53:32.512 14614 ERROR nova endpoint = proxy_mod.Proxy.get_endpoint(proxy)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/keystoneauth1/adapter.py", line 282, in get_endpoint
2020-09-14 23:53:32.512 14614 ERROR nova return self.session.get_endpoint(auth or self.auth, **kwargs)
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1198, in get_endpoint
2020-09-14 23:53:32.512 14614 ERROR nova auth = self._auth_required(auth, 'determine endpoint URL')
2020-09-14 23:53:32.512 14614 ERROR nova File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1138, in _auth_required
2020-09-14 23:53:32.512 14614 ERROR nova raise exceptions.MissingAuthPlugin(msg_fmt % msg)
2020-09-14 23:53:32.512 14614 ERROR nova keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin: An auth plugin is required to determine endpoint URL
2020-09-14 23:53:32.512 14614 ERROR nova

If I copy the cacert in and update certs, this error goes away:

  $ juju scp secrets/certs/cacert.pem nova-cell-controller/1:/tmp/keystone_juju_ca_cert.crt
  $ juju ssh nova-cell-controller/1 sudo cp /tmp/keystone_juju_ca_cert.crt /usr/local/share/ca-certificates/.\; sudo update-ca-certificates --verbose

I can work around this issue by adding the cacert to cloudinit userdata:

cloudinit-userdata: |
  ca-certs:
    trusted:
    - |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers