SSL does not work within Multi-Node Lab

Bug #1544932 reported by David TARDIVEL on 2016-02-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Undecided
Unassigned

Bug Description

I tried to deploy a multi-node lab with USE_SSL=TRUE, with success after some manual operations.

Here is a list of some improvements to take into account for this type of deployment:

We have to set USE_SSL=TRUE into local.conf on each devstack nodes. The main reason is to use 'https' instead of 'http' in all endpoint URL set into module configuration files. But stack.sh uses also this parameter to generate certificate files. And these files
are different for each nodes. It can not work like this: here is a traceback where n-cpu request a new token to keystone service:

2016-02-11 11:16:17.867 ^[[01;31mERROR nova.compute.manager [^[[00;36m-^[[01;31m] ^[[01;35m^[[01;31mInstance failed network setup after 1 attempt(s)^[[00m
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00mTraceback (most recent call last):
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/opt/stack/nova/nova/compute/manager.py", line 1564, in _allocate_network_async
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m dhcp_options=dhcp_options)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/opt/stack/nova/nova/network/neutronv2/api.py", line 619, in allocate_for_instance
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m refresh_cache=True, neutron=neutron) else
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/opt/stack/nova/nova/network/neutronv2/api.py", line 757, in _has_port_binding_extension
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m self._refresh_neutron_extensions_cache(context, neutron=neutron)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/opt/stack/nova/nova/network/neutronv2/api.py", line 749, in _refresh_neutron_extensions_cache
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m extensions_list = neutron.list_extensions()['extensions']
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 102, in with_params
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m ret = self.function(instance, *args, **kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 535, in list_extensions
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m return self.get(self.extensions_path, params=_params)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 293, in get
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m headers=headers, params=params)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 270, in retry_request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m headers=headers, params=params)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 200, in do_request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m content_type=self.content_type())
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/client.py", line 306, in do_request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m return self.request(url, method, **kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/neutronclient/client.py", line 294, in request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m resp = super(SessionClient, self).request(*args, **kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m return self.session.request(url, method, **kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m return func(*args, **kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 390, in request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m resp = send(**kwargs)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 428, in _send_request
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00m raise exceptions.SSLError(msg)
^[[01;31m2016-02-11 11:16:17.867 TRACE nova.compute.manager ^[[01;35m^[[00mSSLError: SSL exception connecting to https://192.168.99.11:9696/v2.0/extensions.json: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Workaround : copy the file /opt/stack/data/ca-bundle.pem generated on controller node to each compute nodes. Or if you have deploy NFS between controller and computes nodes (required for instance live migration), stack.sh would be able generated certificate files only on controller node, and put them into a shared directory, to be reachable from computes nodes (this implies stack.sh should not build certificates files on compute nodes).

nova.conf file built by stack.sh is not correct on compute nodes. some parameters are missing in client sections:

[neutron]
url = https://192.168.99.11:9696
region_name = RegionOne
auth_strategy = keystone
project_domain_name = Default
project_name = service
user_domain_name = Default
password = nomoresecrete
username = neutron
auth_url = https://192.168.99.11:35357/v3
auth_plugin = v3password
+ cafile = /opt/stack/data/ca-bundle.pem

[glance]
api_servers = https://controller:9292
+ api_insecure = true (because no way to add cafile in this section !!!)

Sean Dague (sdague) wrote :

This devstack bug was last updated over 180 days ago, as devstack
is a fast moving project and we'd like to get the tracker down to
currently actionable bugs, this is getting marked as Invalid. If the
issue still exists, please feel free to reopen it.

Changed in devstack:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers