MicroStack

juju on microstack fails due to certificate issue

Bug #1955133 reported by Eskild Jacobsen on 2021-12-17

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	MicroStack	Triaged	Critical	Unassigned

Bug Description

When following the description outlined on this page to the letter, setting up microstack and juju, I encountered an issue. https://microstack.run/docs/using-juju. I used the single-node variant.

When issuing juju-bootstrap, I get an error which indicates that the microstack installation only accept https, but the instructions and yaml file uses plain http.
##########
ERROR authentication failed.: authentication failed
caused by: requesting token: request (http://10.10.10.145:5000/v3/auth/tokens) returned unexpected status: 400; error info: <html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
##########

When trying to correct the microstack.yaml file and the other references to http to use https instead of plain http, I get:
##########
ERROR authentication failed.: authentication failed
caused by: requesting token: failed executing the request https://10.10.10.145:5000/v3/auth/tokens
caused by: Post "https://10.10.10.145:5000/v3/auth/tokens": x509: certificate signed by unknown authority
##########

Please advise.

Best regards,

Eskild

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2021-12-17:

Thanks for taking the time to raise this bug. Indeed, the instructions at the website need to be updated; thank you for pointing that out.

If you source the microstack.rc file [0] and walk through the local add cloud instructions with interactive prompt for juju [1], it should set you straight as Juju will import the certificate into the cloud configuration based on the currently configure OS_* environment values.

Alternatively, you can update your ~/.local/share/juju/clouds.yaml file to add the ca-certificates key field with the contents of the microstack self-signed certificate [2].

As a note, you'll still need to go through the steps of creating the local simplestreams metadata sources.

An example of the one on my box is shown below for clarity:

clouds:
  microstack:
    type: openstack
    auth-types: [userpass]
    endpoint: https://192.168.6.43:5000/v3
    regions:
      microstack:
        endpoint: https://192.168.6.43:5000/v3
    ca-certificates:
    - |
      -----BEGIN CERTIFICATE-----
      MIIC/TCCAeWgAwIBAgIUMCVV46GDNqvbNSpPG9fSXZvwCSIwDQYJKoZIhvcNAQEL
      BQAwHDEaMBgGA1UEAwwRcmVkLnRoZW9sc2Vucy54eXowHhcNMjExMjE3MTY0NDM3
      WhcNMzExMjE3MTY0NDM3WjAcMRowGAYDVQQDDBFyZWQudGhlb2xzZW5zLnh5ejCC
      ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZGUTL/ILK1B7XWwNnrFv1P
      rHsa3j3aokEwlYfa+CbGjE0rhAVQ5FydfCv8AGNRKBcIhrPDGBV/LFII7B0Xr+8u
      af0b78dvuOxyULYwkBdL9cQA/eYg3o97qVcYLcs4JSkRLDtyxvVlGbaVHgzYtAoe
      3Qq4zsWhErrK9HWJyzlFXfdmpTAk0VjKqq+cUhpaGQg7uJ+tGb/eR1aPgk7HQugz
      r/qnDB67WxWzXKL7lb59/LcSTiKr6klFjv7xj7o8TbeeHf0VtvDqhjCrDyWSgPdO
      lJHjQTmH5MzB0SgLHiU5i2EDyP/HcCByVRI9gl7ZrARelnU5X2dQKW8c28kc7n8C
      AwEAAaM3MDUwDwYDVR0TBAgwBgEB/wIBADAiBgNVHREEGzAZghFyZWQudGhlb2xz
      ZW5zLnh5eocEwKgGKzANBgkqhkiG9w0BAQsFAAOCAQEAgu7wPFn73LCtslNiLExq
      Bb0KhaSC81Pp4OunsNpR3o4MayB1vJIAhJuNQqOQrLw04bLCgTXDS1y33IcX1RJU
      3JQA4hkPGjnTyy3bjRDIbSZZN+kD7/hThILAUR3BioBJGOHgOhaCqeJ+lkbDU0PP
      b2uFnHqFTG4wCmqATdioLxZdJXAwwTNJKkAvJvZ34zrKAKmNk+/2vFNwra9c9ZVL
      Ywoi43wBMsf5aUuiuBP7YQR8qV5wsa1CafyuVOOh1jFl9/ruwxVafvGpiEKmzQDh
      QxIsBS4OPaKxVMZZX5h7Fh4k55cVk+7hWw9aNh0yq064oqN5f6z84yf5Wg6ZVn69
      dw==
      -----END CERTIFICATE-----

[0] /var/snap/microstack/common/etc/microstack.rc
[1] https://juju.is/docs/olm/openstack
[2] /var/snap/microstack/common/etc/ssl/certs/cacert.pem

Thanks for taking the time to raise this bug. Indeed, the instructions at the website need to be updated; thank you for pointing that out.

Alternatively, you can update your ~/.local/share/juju/clouds.yaml file to add the ca-certificates key field with the contents of the microstack self-signed certificate [2].

As a note, you'll still need to go through the steps of creating the local simplestreams metadata sources.

An example of the one on my box is shown below for clarity:

[0] /var/snap/microstack/common/etc/microstack.rc
[1] https://juju.is/docs/olm/openstack
[2] /var/snap/microstack/common/etc/ssl/certs/cacert.pem

Changed in microstack:
status:	New → Triaged
importance:	Undecided → Critical

Revision history for this message

Ghislain Bourgeois (ghibourg) wrote on 2022-09-17:

I encountered the same issue and took the opportunity to fix the documentation. I did not have edit access to the discourse post, so I replied with the whole document corrected. You can find it here: https://discourse.ubuntu.com/t/using-juju/18260/5

Updating the first with the content of my post should be enough to close this ticket.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.