Newton: Haproxy and repo roles SSL issues when internal=extenal VIP

Bug #1650350 reported by Bjoern Teipel on 2016-12-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Unassigned

Bug Description

While the haproxy_server role enables SSL by default it also generates a self signed cert with

haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

The repo depending roles like pip and all roles using pip seem to use http the internal VIP

openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"

which results in SSL errors

fatal: [infra01_galera_container-a200f8b8]: FAILED! => {"changed": false, "cmd": "/usr/local/bin/pip install -U --isolated --constraint https://172.19.43.253:8181/os-releases/14.0.3/requirements_absolute_requirements.txt ndg-httpsclient requests", "failed": true, "msg": "\n:stderr: /usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform.

and excessive use of fallback URLs.

This is on Ubuntu 14.04 where internal and external lb VIP address are set to the same internal IP and the issue is worsened that many references to internal_lb_vip_address are actually hard coded to HTTP only.

This issue can be worked around by setting proper URLs for
repo_pkg_cache_url, openstack_repo_url or just disabling SSL in haproxy via haproxy_ssl: false

At this point I would have welcomed the old behavior that HTTP is used only or we need to highlight this change inside the documentation because it will create a lot of issues for people upgrading from older versions

summary: - Newton: Haproxy and repo roles are not consistently configured for ssl
+ Newton: Haproxy and repo roles SSL issues when internal=extenal VIP
description: updated

Requires confirmation, has more than one issue within this report.

Changed in openstack-ansible:
importance: Undecided → Medium

Will require more than just a documentation highlight.

We've decided in our bug triage to classify this as Confirmed/Low.
Many ppl had issues in the past, so we can decide to fix this kind of things, or explain to assign another IP for internal and external VIP (even on the same subnet).

Anyway, there is a documentation to be done here (for the best practice part -- keeping 2 ips separate) and improvements (for the current code fixing when collocating).

Changed in openstack-ansible:
status: New → Confirmed
importance: Medium → Low
Arslan Qadeer (arslanqxgrid) wrote :

Same issue is hit on Ocata as well.

yes

Andy McCrae (andrew-mccrae) wrote :

Ok I'm moving this to a higher prio- the bug is impacting us and we need to either fix it or at a minimum fix the documentation.

Changed in openstack-ansible:
importance: Low → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers