Steps:
1. Deploy cluster
os: Ubuntu
neutron vlan
1 controller + 1 compute +1 cinder
ssl for os is enabled
2. As soon as cluster is ready, navigate to horizon over https
3. Login as admin user
4. Navigate to horizon/project/access_and_security/
Actual result:
Horizon became unavailable with message An unexpected error has occurred and 500 Internal error code
http://paste.openstack.org/show/406199/
at the same time logged user can list instances, images over horizon
[root@nailgun ~]# cat /etc/fuel/version.yaml
VERSION:
feature_groups:
- mirantis
production: "docker"
release: "7.0"
openstack_version: "2015.1.0-7.0"
api: "1.0"
build_number: "103"
build_id: "2015-07-28_12-51-16"
nailgun_sha: "d7fe1047caeb4503970c7d39689e133b28b85b22"
python-fuelclient_sha: "f04e6c46783ecd6000df31b61b6749da66d4d828"
fuel-agent_sha: "2a65f11c10b0aeb5184247635a19740fc3edde21"
fuel-nailgun-agent_sha: "1512b9af6b41cc95c4d891c593aeebe0faca5a63"
astute_sha: "34e0493afa22999c4a07d3198ceb945116ab7932"
fuel-library_sha: "8e64ae8e018d5b119c8e2ea49f6a83467b970a66"
fuel-ostf_sha: "9e32b35e9a774eec41b86cd5a6c63b71a3efa4bd"
fuelmain_sha: "0d6ff4c9ec156196cc4d9a36db314ba7346942f7"
[root@nailgun ~]# ssh node-1
Warning: Permanently added 'node-1' (RSA) to the list of known hosts.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-59-generic x86_64)
When HTTPS for Horizon is configured/enabled FUEL uses default hostname 'public.fuel.local' as: modules/ osnailyfacter/ modular/ astute/ generate_ haproxy_ keys.sh and executed by task `generate_ haproxy_ keys`)
a) CN for ssl certificate (generated using /etc/puppet/
b) Public endpoint for identify service.
/etc/puppet/ 2015.1. 0-7.0/modules/ osnailyfacter/ modular/ keystone/ keystone. pp ssl_hash[ 'services' ] ? { ssl_hash[ 'hostname' ],
41 $public_address = $public_
>> 42 true => $public_
43 default => $public_vip,
44 }
Because SSL certificates are signed against hostnames and not IP addresses (and we have mixed public endpoints).. client is throwing "SSLError: hostname '__IP_ADDRESS!__' doesn't match u'public. fuel.local' .
Our endpoints: /192.168. 200.101: 8776/v2/ %(tenant_ id)s /192.168. 200.101: 8000/v1 /192.168. 200.101: 8776/v1/ %(tenant_ id)s /192.168. 200.101: 8774/v2/ %(tenant_ id)s /192.168. 200.101: 8777 /192.168. 200.101: 8080 /192.168. 200.101: 9292 /192.168. 200.101: 8004/v1/ %(tenant_ id)s 127.0.0. 1:8774/ v3 /192.168. 200.101: 9696 /192.168. 200.101: 8773/services/ Cloud /192.168. 200.101: 8080/v1/ AUTH_%( tenant_ id)s /public. fuel.local: 5000/v2. 0
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
http://
https:/
https:/
https:/
https:/
HAProxy configuration: conf.d/ 015-horizon. cfg: bind 192.168.200.101:80 conf.d/ 017-horizon- ssl.cfg: bind 192.168.200.101:443 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 020-keystone- 1.cfg: bind 192.168. 200.101: 5000 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 040-nova- api-1.cfg: bind 192.168. 200.101: 8773 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 050-nova- api-2.cfg: bind 192.168. 200.101: 8774 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 070-cinder- api.cfg: bind 192.168. 200.101: 8776 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 080-glance- api.cfg: bind 192.168. 200.101: 9292 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 085-neutron. cfg: bind 192.168. 200.101: 9696 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 120-swift. cfg: bind 192.168. 200.101: 8080 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 160-heat- api.cfg: bind 192.168. 200.101: 8004 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 161-heat- api-cfn. cfg: bind 192.168. 200.101: 8000 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 162-heat- api-cloudwatch. cfg: bind 192.168. 200.101: 8003 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem conf.d/ 170-nova- novncproxy. cfg: bind 192.168. 200.101: 6080 ssl crt /var/lib/ astute/ haproxy/ public_ haproxy. pem
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
/etc/haproxy/
To resolve this issue we could:
1) Use OPENSTACK_ ENDPOINT_ TYPE = "internalURL" in /etc/openstack- dashboard/ local_settings. py
That way we instruct horizon to use only internalurl which don't use ssl.
2) In default configuration /etc/hosts entries were added (__PUB_IP__ public.fuel.local), currently this solution doesn't exactly works because of host_check. python2. 7/dist- packages/ urllib3/ connectio. ..
To enable existing solution one would needs to:
1) Edit /usr/lib/