(originally in https://pastebin.ubuntu.com/p/458fsc9ffz/ ) ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 424d928b34b640e0a36a8a2e3fdc6f09 | demo | | 507dbc22af73459b853e3766c35c8b64 | admin | | cab27753566d42029be264f36ba2b8e4 | admin | | d212590292cf4a60b445c6d6343ccfbc | services | | ec0fb8a582714d54aaa71fef843e1dea | alt_demo | | fe131c6831fc477ea15e27d46c28fe2f | services | +----------------------------------+----------+ ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 201b2ebc79db4c73bf5e72b548327830 | service_domain | True | Created by Juju | | 9a9ba9e3fb704f24a45098c605f6b4fb | admin_domain | True | Created by Juju | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack user create --domain admin_domain --project 424d928b34b640e0a36a8a2e3fdc6f09 --password test test-user buntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack role add --domain admin_domain --user test-user Admin ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack role add --project 424d928b34b640e0a36a8a2e3fdc6f09 --user test-user Admin # Take note of the application credentials as thesee will be useful when testing the issue. ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack application credential create test-user-cred +--------------+----------------------------------------------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------------------------------------------+ | description | None | | expires_at | None | | id | 33869eace8b34bf7b083a59677248fc6 | | name | test-user-cred | | project_id | 507dbc22af73459b853e3766c35c8b64 | | roles | reader Admin member load-balancer_admin | | secret | 5qu2WuvwysIxZi2XKKJvgs2hA_Gx2NMx9lr-LNVmgWbMmkRSjYxFAQtN8zoW5I23palGW7cdeYDLB0mLDNVJyw | | system | None | | unrestricted | False | | user_id | 1053c1da7d6b4be7b122e94a6a8ba3ea | +--------------+----------------------------------------------------------------------------------------+ ### Create certificate store, can be whatever cert you have at hand, I had a couple of old ones on ~/stsstack-bundles/openstack/ssl/ and used those # not important that they have valid FQDN or not since its not relevant for what we are testing here: ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret store --payload-content-type='text/plain' --name='test-certificate' --payload="$(cat servercert.pem)" +---------------+-------------------------------------------------------------------+ | Field | Value | +---------------+-------------------------------------------------------------------+ | Secret href | https://None:9312/v1/secrets/d3e5d578-878e-4ea1-8de7-b102840b9a59 | | Name | test-certificate | | Created | None | | Status | None | | Content types | {'default': 'text/plain'} | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+-------------------------------------------------------------------+ ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret store --payload-content-type='text/plain' --name='test-certificatkey' --payload="$(cat serverkey.pem)" +---------------+-------------------------------------------------------------------+ | Field | Value | +---------------+-------------------------------------------------------------------+ | Secret href | https://None:9312/v1/secrets/11b4ff5d-2849-4c87-9679-000b18639eec | | Name | test-certificatkey | | Created | None | | Status | None | | Content types | {'default': 'text/plain'} | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+-------------------------------------------------------------------+ ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret container create --name='certificate_test_and_key' --type="certificate" --secret='certificate=https://None:9 312/v1/secrets/d3e5d578-878e-4ea1-8de7-b102840b9a59' --secret='private_key=https://None:9312/v1/secrets/11b4ff5d-2849-4c87-9679-000b18639eec' +----------------+----------------------------------------------------------------------+ | Field | Value | +----------------+----------------------------------------------------------------------+ | Container href | https://None:9312/v1/containers/416543ba-ecd3-4ad1-8174-8899f58e92c1 | | Name | certificate_test_and_key | | Created | None | ### Create load balancer and listener which will fail: openstack loadbalancer create --name testlb --vip-network-id lb-mgmt-net ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack loadbalancer create --name testlb --vip-network-id lb-mgmt-net +---------------------+-----------------------------------------+ | Field | Value | +---------------------+-----------------------------------------+ | admin_state_up | True | | availability_zone | None | | created_at | 2023-08-26T13:27:09 | | description | | | flavor_id | None | | id | 2f6ddd95-744d-4117-a0e8-327dd4ec620c | | listeners | | | name | testlb | | operating_status | OFFLINE | | pools | | | project_id | 507dbc22af73459b853e3766c35c8b64 | | provider | amphora | | provisioning_status | PENDING_CREATE | | updated_at | None | | vip_address | fc00:c9e5:8c21:7663:f816:3eff:fee9:d343 | | vip_network_id | a2790789-2731-42e2-b9d7-c9e58c217663 | | vip_port_id | 19dd28a2-46ac-43a6-9cf6-dfc5f4805750 | | vip_qos_policy_id | None | | vip_subnet_id | 3a999eef-d778-41e5-9365-7be090f05b8d | +---------------------+-----------------------------------------+ # should wait till its active ubuntu@dnegreira-bastion:~/stsstack-bundles/openstack$ openstack loadbalancer list +--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+ | id | name | project_id | vip_address | provisioning_status | provider | +--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+ | 2f6ddd95-744d-4117-a0e8-327dd4ec620c | testlb | 507dbc22af73459b853e3766c35c8b64 | fc00:c9e5:8c21:7663:f816:3eff:fee9:d343 | ACTIVE | amphora | +--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+ # Do a $ source novarc on ~/stsstack-bundles/openstack to set the OS_* variables to the current deployment, leave the ones set as per below and make sure to `unset OS_` else you wont be able to issue openstack commands (of course adapt to your own credentials/IPs): ubuntu@dnegreira-bastion:~/appcredentials$ env | grep OS_ OS_AUTH_URL=https://10.5.0.157:5000/v3 OS_APPLICATION_CREDENTIAL_SECRET=5qu2WuvwysIxZi2XKKJvgs2hA_Gx2NMx9lr-LNVmgWbMmkRSjYxFAQtN8zoW5I23palGW7cdeYDLB0mLDNVJyw OS_APPLICATION_CREDENTIAL_ID=33869eace8b34bf7b083a59677248fc6 OS_AUTH_TYPE=v3applicationcredential # After this is done you can try to create the listener which will introduce the error in this ticket: openstack loadbalancer listener create --name https-test --protocol TERMINATED_HTTPS --protocol-port 443 --default-tls-container-ref="https://None:9312/v1/container s/416543ba-ecd3-4ad1-8174-8899f58e92c1" 2f6ddd95-744d-4117-a0e8-327dd4ec620c Could not retrieve certificate: ['https://None:9312/v1/containers/416543ba-ecd3-4ad1-8174-8899f58e92c1'] (HTTP 400) (Request-ID: req-a505a595-4eee-4e95-b721-cb3b4e9fe5eb)