kolla-ansible

Self-Signed Certificates failed

Bug #1875561 reported by XiaojueGuan on 2020-04-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Incomplete	Undecided	XiaojueGuan

Bug Description

(deploy) root@k-node1:~# pip freeze | grep kolla
kolla==9.1.0.dev387
kolla-ansible==9.1.0.dev588

the globals.yml file is https://github.com/albertjone/kolla-config/blob/master/kolla-config/multinode/globals.yml

when use kolla-ansible to deploy it failed with following detail:
```
TASK [kibana : Wait for kibana to register in elasticsearch]
FAILED - RETRYING: Wait for kibana to register in elasticsearch (20 retries left).Result was: {
    "action": "uri",
    "attempts": 1,
    "changed": false,
    "content": "",
    "elapsed": 0,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": null,
            "body_format": "raw",
            "client_cert": null,
            "client_key": null,
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {},
            "http_agent": "ansible-httpget",
            "method": "GET",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                "200"
            ],
            "timeout": 30,
            "unix_socket": null,
            "unsafe_writes": null,
            "url": "https://10.10.1.205:9200/.kibana",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)>",
    "redirected": false,
    "retries": 21,
    "status": -1,
    "url": "https://10.10.1.205:9200/.kibana"
}
```

and i logged into kolla_toolbox it shows below interesting staff
```
(kolla-toolbox)[root@k-node1 /]# cat /etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIJAMK1wLrbsYLPMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJOQzEMMAoGA1UEBwwDUlRQMQ4wDAYDVQQLDAVrb2xs
YTEUMBIGA1UEAwwLMTAuMTAuMS4yMDUwHhcNMjAwNDI0MDg1MDI4WhcNMzAwNDIy
MDg1MDI4WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDDAKBgNVBAcMA1JU
UDEOMAwGA1UECwwFa29sbGExFDASBgNVBAMMCzEwLjEwLjEuMjA1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDq0b/Zau/A1r7JT16s88HZ7S6YM8aT+
IynPsHTjbcy9xHR9lidL/GzHy9bxkSMd2IzUCozy33zos4crUrqM3yz12BVUXa76
SXzoPPU6Km+8JT49QFMSmdCR2GFj5OTzF0WyOlaoj9c/JPk2DGh0ksf5hfG91mlQ
MIZECoCwxUS2Fd3pLTwFMWjNL8NUWzrwBLtCMbdlORmz7m3iH2SUuX5sDu3vLmam
2qpobqu627uRpyxcj/Qvo2OAZruNMlTtL+L99P/6Wf+GzXTEX9Juv1lkB/CuVAEi
1TZimEthO9moRYsuSpUPV+CPStYjf+SYyQDst/OGZOxMaSnrZXpq/wIDAQABoxMw
ETAPBgNVHREECDAGhwQKCgHNMA0GCSqGSIb3DQEBCwUAA4IBAQAGR40ZbQoup5+Z
EZxuqtsh4fOaJgwtPuIrpcwTPQOjAsn5ldVYftbs7YyBFcfGHDLp1yGoONqU2FFZ
LLt6sk+BZ60Gx0TBTM0yK6c86i+U4CIogJ8OB9Z59+JfTzbE7z060yhk6Z91qqLl
IcFUylmv+84vw/ERuY4JnDymdrwoBJxxc8+v4mJAyWm1wjg/9ktUP+rwFqLFmzT3
r62cun6Jg4vH18FkCF1FlvEaliaDiAxHKL7Ck3JdxruTBuXt/NfledSFVmnBczwY
QGvYanEZP/IEuMlJx+0p30X+EV3ayUhhVg+VXcHM6ZygnG3cTegdebz58HHw+0gs
lLoJXkug
-----END CERTIFICATE-----
(kolla-toolbox)[root@k-node1 /]# curl https://10.10.1.205:9200/.kibana --cacert /etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt
{".kibana_1":{"aliases":{".kibana":{}},"mappings":{"doc":{"dynamic":"strict","properties":{"config":{"dynamic":"true","properties":{"buildNum":{"type":"keyword"}}},"dashboard":{"properties":{"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"optionsJSON":{"type":"text"},"panelsJSON":{"type":"text"},"refreshInterval":{"properties":{"display":{"type":"keyword"},"pause":{"type":"boolean"},"section":{"type":"integer"},"value":{"type":"integer"}}},"timeFrom":{"type":"keyword"},"timeRestore":{"type":"boolean"},"timeTo":{"type":"keyword"},"title":{"type":"text"},"uiStateJSON":{"type":"text"},"version":{"type":"integer"}}},"index-pattern":{"properties":{"fieldFormatMap":{"type":"text"},"fields":{"type":"text"},"intervalName":{"type":"keyword"},"notExpandable":{"type":"boolean"},"sourceFilters":{"type":"text"},"timeFieldName":{"type":"keyword"},"title":{"type":"text"},"type":{"type":"keyword"},"typeMeta":{"type":"keyword"}}},"kql-telemetry":{"properties":{"optInCount":{"type":"long"},"optOutCount":{"type":"long"}}},"migrationVersion":{"type":"object","dynamic":"true"},"namespace":{"type":"keyword"},"search":{"properties":{"columns":{"type":"keyword"},"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"sort":{"type":"keyword"},"title":{"type":"text"},"version":{"type":"integer"}}},"server":{"properties":{"uuid":{"type":"keyword"}}},"timelion-sheet":{"properties":{"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"timelion_chart_height":{"type":"integer"},"timelion_columns":{"type":"integer"},"timelion_interval":{"type":"keyword"},"timelion_other_interval":{"type":"keyword"},"timelion_rows":{"type":"integer"},"timelion_sheet":{"type":"text"},"title":{"type":"text"},"version":{"type":"integer"}}},"type":{"type":"keyword"},"updated_at":{"type":"date"},"url":{"properties":{"accessCount":{"type":"long"},"accessDate":{"type":"date"},"createDate":{"type":"date"},"url":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":2048}}}}},"visualization":{"properties":{"description":{"type":"text"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"savedSearchId":{"type":"keyword"},"title":{"type":"text"},"uiStateJSON":{"type":"text"},"version":{"type":"integer"},"visState":{"type":"text"}}}}}},"settings":{"index":{"number_of_shards":"1","auto_expand_replicas":"0-1","provided_name":".kibana_1","creation_date":"1588055326408","number_of_replicas":"1","uuid":"5cRMGCAbR4ukQPVqyl-kkA","version":{"created":"6080899"}}}}}curl (https://10.10.1.205:9200/.kibana): response: 200, time: 0.010410, size: 2719
(kolla-toolbox)[root@k-node1 /]# curl https://10.10.1.205:9200/.kibana
curl (https://10.10.1.205:9200/.kibana): response: 000, time: 0.000128, size: 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
(kolla-toolbox)[root@k-node1 /]# cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
```
according to https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html my config ought to be ok, but failed.

See original description

Tags:

XiaojueGuan (xiaojuegaun) on 2020-04-28

description:

updated

Revision history for this message

XiaojueGuan (xiaojuegaun) wrote on 2020-04-29:

it seems that it's the mis function of system certification in centos 8.

XiaojueGuan (xiaojuegaun) on 2020-04-29

Changed in kolla-ansible:
assignee:	nobody → XiaojueGuan (xiaojuegaun)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-29: Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/724217

Changed in kolla-ansible:
status:	New → In Progress

Revision history for this message

XiaojueGuan (xiaojuegaun) wrote on 2020-04-29:

should we add make kolla_toolbox have the ability to support validate_certs to "no", when upper stream don't support system certification or failure of system certification.

OpenStack Infra (hudson-openstack) on 2020-05-04

Changed in kolla-ansible:
assignee:	XiaojueGuan (xiaojuegaun) → James Kirsch (generalfuzz)

OpenStack Infra (hudson-openstack) on 2020-05-07

Changed in kolla-ansible:
assignee:	James Kirsch (generalfuzz) → XiaojueGuan (xiaojuegaun)

Revision history for this message

Mark Goddard (mgoddard) wrote on 2020-05-19:

XiaojueGuan, are you hitting this while testing or in production? I would not recommend using self-signed certs in production.

Revision history for this message

XiaojueGuan (xiaojuegaun) wrote on 2020-11-11:

Sorry for delayed reply, i was hitting this while testing.

Revision history for this message

Tom Fifield (fifieldt) wrote on 2023-04-05:

Questions from the patch:

"""
Thanks for the output upload. It looks like it didn't fail due to self signed cert validation, but an SSL parsing failure.

1. Did you use the Kolla Ansible certification generation task to generate your cert?
2. Could you validate that you run into this issue if you deploy on an Ubuntu based openstack deploy?
"""

Changed in kolla-ansible:
status:	In Progress → Incomplete

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.