kolla-ansible

Octavia ussuri could not decrypt the certs

Bug #1881774 reported by BN on 2020-06-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Expired	Undecided	Unassigned

Bug Description

---
# You can use this file to override _any_ variable throughout Kolla.
# Additional options can be found in the
# 'kolla-ansible/ansible/group_vars/all.yml' file. Default value of all the
# commented parameters are shown here, To override the default value uncomment
# the parameter and change its value.
kolla_base_distro: "centos"
kolla_install_type: "source"
openstack_release: "ussuri"
kolla_internal_vip_address: "10.0.1.5"
network_interface: "enp2s0f0"
neutron_external_interface: "enp2s0f1"
enable_neutron_provider_networks: "yes"
neutron_tenant_network_types: "vxlan,flat"
enable_barbican: "yes"
enable_designate: "yes"
dns_interface: "enp2s0f0"
designate_ns_record: "tribal.local"
designate_backend: "bind9"
enable_manila: "yes"
enable_redis: "yes"
enable_magnum: "yes"
enable_octavia: "yes"
enable_heat: "yes"
magnum_tag: "master"
heat_tag: "master"
glance_enable_rolling_upgrade: "no"
barbican_crypto_plugin: "simple_crypto"
barbican_library_path: "/usr/lib/libCryptoki2_64.so"
horizon_port: 80
#octavia_loadbalancer_topology: "SINGLE"

------------------------------------------------------------------

Both changes are merged with k-a: https://review.opendev.org/#/c/720243/ & https://review.opendev.org/#/c/727160/
------------------------------------------------------------------

Certs were created via off guide - https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

ls -all /etc/kolla/config/octavia/
total 24
drwxr-xr-x 2 root root 4096 Jun 1 22:23 .
drwxr-xr-x 8 root root 4096 Jun 1 22:22 ..
-rw-r--r-- 1 root root 2017 Jun 1 22:23 client_ca.cert.pem
-rwx------ 1 root root 3460 Jun 1 22:23 client.cert-and-key.pem
-rw-r--r-- 1 root root 2017 Jun 1 22:23 server_ca.cert.pem
-r-------- 1 root root 3326 Jun 1 22:23 server_ca.key.pem

Error message - http://paste.openstack.org/show/794245/

openssl rsa -in /etc/octavia/certs/server_ca.key.pem - works within container and using passphrase.

Revision history for this message

BN (zatoichy) wrote on 2020-06-02:

Once Ive added manually -

[certificates]
cert_generator = local_cert_generator
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = my passphrase (not decoded)

[controller_worker]
client_ca = /etc/octavia/certs/client_ca.cert.pem

[haproxy_amphora]
client_cert = /etc/octavia/certs/client.cert-and-key.pem
server_ca = /etc/octavia/certs/server_ca.cert.pem

Issue was resolved. However, now I am getting new error related to nova
http://paste.openstack.org/show/794260/

Revision history for this message

Mark Goddard (mgoddard) wrote on 2020-06-15:

I expect you probably just needed ca_private_key_passphrase. There is an ansible variable for this in passwords.yml: octavia_ca_password

Changed in kolla-ansible:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-08-15:

[Expired for kolla-ansible because there has been no activity for 60 days.]

Changed in kolla-ansible:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.