kolla-ansible

[Yoga] Cloudkitty processor certificate verify failed when using Private Certificate authority

Bug #2040104 reported by Wodel Youchi on 2023-10-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	New	Undecided	Unassigned

Bug Description

Hi,

What happened:
Recently our commercial certificate has expired, so to make things work again rapidly we created a Private Certificate Authority.

We had a first problem while bootstrapping cloudkitty, but it was corrected using this : https://review.opendev.org/c/openstack/kolla-ansible/+/866598

But after that we keep seeing these errors in cloudkitty-processor.log :
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator return self.get_access(session).auth_token
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator File "/var/lib/kolla/venv/lib/python3.6/site-packages/keystoneauth1/identity/base.py", line 134, in get_access
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator self.auth_ref = self.get_auth_ref(session)
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator File "/var/lib/kolla/venv/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py", line 206, in get_auth_ref
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator self._plugin = self._do_create_plugin(session)
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator File "/var/lib/kolla/venv/lib/python3.6/site-packages/keystoneauth1/identity/generic/base.py", line 161, in _do_create_plugin
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator 'auth_url is correct. %s' % e)
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator keystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://dashint.domaine.tld:35357: HTTPSConnectionPool(host='dashint.domain.tld', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
2023-10-22 14:07:38.527 573987 ERROR cloudkitty.orchestrator

What you expected to happen:
Cloudkitty container runs without errors

How to reproduce it (minimal and precise):
kolla-ansible -i multinode certificates
kolla-ansible -i multinode reconfigure

**Environment**:
* OS (e.g. from /etc/os-release):
[root@controllerb ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.8 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.8 (Green Obsidian)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2029-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-8"
ROCKY_SUPPORT_PRODUCT_VERSION="8.8"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"

* Kernel (e.g. `uname -a`):
[root@controllerb ~]# uname -a
Linux controllerb 4.18.0-477.10.1.el8_8.x86_64 #1 SMP Tue May 16 11:38:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

* Docker version if applicable (e.g. `docker version`):
[root@controllerb ~]# docker version
Client: Docker Engine - Community
Version: 24.0.2
API version: 1.43
Go version: go1.20.4
Git commit: cb74dfc
Built: Thu May 25 21:53:10 2023
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
  Version: 24.0.2
  API version: 1.43 (minimum version 1.12)
  Go version: go1.20.4
  Git commit: 659604f
  Built: Thu May 25 21:52:10 2023
  OS/Arch: linux/amd64
  Experimental: false
containerd:
  Version: 1.6.21
  GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
  Version: 1.1.7
  GitCommit: v1.1.7-0-g860f061
docker-init:
  Version: 0.19.0
  GitCommit: de40ad0

* Kolla-Ansible version (e.g. `git head or tag or stable branch` or pip package version if using release):
(yogavenv) [deployer@rscdeployer yogakolla]$ pip list | grep kolla
kolla-ansible 14.9.1.dev41

* Docker image Install type (source/binary):
kolla_install_type: "source"

* Docker image distribution:
centos-source

* Are you using official images from Docker Hub or self built?
I am using images from quay.io

* If self built - Kolla version and environment used to build:

* Share your inventory file, globals.yml and other configuration files if relevant
I have kolla_verify_tls_backend: "no" in globals.yml

Regards.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.