2016-12-15 19:19:12 |
Bjoern |
description |
While the haproxy_server role enables SSL by default it also generates a self signed cert with
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
The repo depending roles like pip and all roles using pip seem to use http the internal VIP
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
which results in SSL errors
fatal: [infra01_galera_container-a200f8b8]: FAILED! => {"changed": false, "cmd": "/usr/local/bin/pip install -U --isolated --constraint https://172.19.43.253:8181/os-releases/14.0.3/requirements_absolute_requirements.txt ndg-httpsclient requests", "failed": true, "msg": "\n:stderr: /usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform.
and excessive use of fallback URLs
This is on Ubuntu 14.04
This issue can be worked around by setting proper URLs for
repo_pkg_cache_url, openstack_repo_url or just disabling SSL in haproxy via haproxy_ssl: false |
While the haproxy_server role enables SSL by default it also generates a self signed cert with
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
The repo depending roles like pip and all roles using pip seem to use http the internal VIP
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
which results in SSL errors
fatal: [infra01_galera_container-a200f8b8]: FAILED! => {"changed": false, "cmd": "/usr/local/bin/pip install -U --isolated --constraint https://172.19.43.253:8181/os-releases/14.0.3/requirements_absolute_requirements.txt ndg-httpsclient requests", "failed": true, "msg": "\n:stderr: /usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform.
and excessive use of fallback URLs.
This is on Ubuntu 14.04 where internal and external lb VIP address are set to the same internal IP and the issue is worsened that many references to internal_lb_vip_address are actually hard coded to HTTP only.
This issue can be worked around by setting proper URLs for
repo_pkg_cache_url, openstack_repo_url or just disabling SSL in haproxy via haproxy_ssl: false
At this point I would have welcomed the old behavior that HTTP is used only or we need to highlight this change inside the documentation because it will create a lot of issues for people upgrading from older versions |
|