kolla

horizon login fails with TLS enabled

Bug #1625648 reported by bjolo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Critical
Dave McCowan
kolla ocata-1 "o1"
Newton
Fix Released
Critical
Dave McCowan
kolla newton-rc3 "rc3"

Bug Description

everything works without TLS. Destroy and deploy and TLS works on commandline and also curl -i -H with admin and password inside the horizon container works. However, login to the web UI does not work.

Error message on horizon UI is: "Unable to establish connection to keystone endpoint."

horizon debug log.
http://paste.openstack.org/show/582247/

Keystone log show nothing, like horizon does not even try to contact keystone. i.e. it really fails to find keystone.

Steven Dake (sdake)
Changed in kolla:
milestone: none → newton-rc2
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
zhubingbing (zhubingbing) wrote :

i can't reproduce this bug, can you give me more information ?

Revision history for this message
bjolo (bjorn-lofdahl) wrote :

have not tried since i created the bug report, but that was a while ago. Let me try again to see if i can reproduce.

Revision history for this message
Paul Bourke (pauldbourke) wrote :

I see from the logs:

[Tue Sep 20 15:53:06.670637 2016] [:error] [pid 19] Unable to establish connection to https://foglight.mydomain.net:5000/v3/auth/tokens

Is that the correct domain for your keystone endpoint?

Revision history for this message
bjolo (bjorn-lofdahl) wrote :

hi all,

can confirm that i just reproduced the bug. centos source; kolla master

pbourke: no that is not my real domain, but the DNS is working properly. As stated initially, a deployment w/o TLS works just fine. Then I enable TLS in globals.yml and login to horizon does not work.

Steven Dake (sdake)
Changed in kolla:
milestone: newton-rc2 → newton-rc3
Dave McCowan (dave-mccowan)
Changed in kolla:
assignee: nobody → Dave McCowan (dave-mccowan)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.openstack.org/386975

Revision history for this message
Steven Dake (sdake) wrote :

bjolo,

Can you verify by cherrypicking the proposed patches and see if they resolve the TLS problem? Hit me up on IRC if you need any help so we can get this fixed and closed out for 3.0.0.

Thanks!
-steve

Jeffrey Zhang (jeffrey4l)
Changed in kolla:
milestone: newton-rc3 → ocata-1
status: In Progress → Confirmed
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.openstack.org/386975
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=cc2dde0854e72ed3361f8a7b54cde091a04e17cc
Submitter: Jenkins
Branch: master

commit cc2dde0854e72ed3361f8a7b54cde091a04e17cc
Author: Dave McCowan <email address hidden>
Date: Sat Oct 15 18:50:41 2016 -0400

    OpenStack Services Should Use keystone_internal_url for auth

    Horizon and Neutron mistakenly were using keystone_public_url
    for authentication. This works without error in deployments
    when the internal services happen to have access to the
    public network, but it is still wrong. This fails to work
    when the internal services can not access the public URLs,
    for example when TLS is enabled on the public endppoints.

    This patches corrects horizon and neutron to use
    keystone_internal_url for auth.

    Change-Id: I59b9094364bef375036028ba86a771dabf28c963
    Closes-bug: #1625648

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/newton)

Reviewed: https://review.openstack.org/387051
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=c6cd09b3c0a0b9e3327f63056ee6d649b222d463
Submitter: Jenkins
Branch: stable/newton

commit c6cd09b3c0a0b9e3327f63056ee6d649b222d463
Author: Dave McCowan <email address hidden>
Date: Sat Oct 15 18:50:41 2016 -0400

    OpenStack Services Should Use keystone_internal_url for auth

    Horizon and Neutron mistakenly were using keystone_public_url
    for authentication. This works without error in deployments
    when the internal services happen to have access to the
    public network, but it is still wrong. This fails to work
    when the internal services can not access the public URLs,
    for example when TLS is enabled on the public endppoints.

    This patches corrects horizon and neutron to use
    keystone_internal_url for auth.

    Change-Id: I59b9094364bef375036028ba86a771dabf28c963
    Closes-bug: #1625648

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 3.0.0.0rc3

This issue was fixed in the openstack/kolla 3.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 4.0.0.0b1

This issue was fixed in the openstack/kolla 4.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.