OpenStack-Ansible

Ssl verify error in heat -> keystone communication

Bug #1814909 reported by Kamil Madac
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Kamil Madac

Bug Description

In 18.1.3 with self-signed https enabled on haproxy, 'openstack stack list -vvvv' ends up with following Internal Server Error:

SSL exception connecting to https://10.5.0.254:5000: HTTPSConnectionPool(host='10.5.0.254', port=5000): Max retries exceeded with url: / (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))\n", "type": "SSLError"}, "title": "Internal Server Error"

The reason is that self-signed certificate is not distributed to heat containers. As a workaround I added certificate /etc/ssl/certs/haproxy.cert from haproxy node to /openstack/venvs/heat-18.1.3/lib/python2.7/site-packages/certifi/cacert.pem as requests python library uses certifi package as for validating the trustworthiness of SSL certificates.

The correct way how to solve the bug would be to add self signed certificate to /etc/ssl/certs/ca-certificates.crt and set environment variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt in systemd heat services in order to use system certificates.

Revision history for this message
Kamil Madac (kamil-madac) wrote :

Here is the patch we did in our Rocky OSA deployment to solve the bug:

http://paste.openstack.org/show/744947/

It basicaly adds env. variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to heat systemd services.

Revision history for this message
panic! (thomas-schend) wrote :

+1

Revision history for this message
panic! (thomas-schend) wrote :

Just verified this a few minutes ago. Solves the issue for me. Netherless the practice to go to the external API should be questioned.

Revision history for this message
panic! (thomas-schend) wrote :

Another note:

The patch fixes the problem with heat service but it does not fix the issue that horizon does not display the orchestration tab under admin - system - system information.

Maybe the horizon container needs the same patch for the systemd service. Not validated yet.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/639601

Changed in openstack-ansible:
assignee: nobody → Kamil Madac (kamil-madac)
status: New → In Progress
Revision history for this message
masterpe (michiel-y) wrote :

After testing this patch, I get the following error:

TASK [Regenerate certs] ********************************************************
changed: [controller01_heat_api_container-bd6c1c98]

RUNNING HANDLER [os_heat : Restart heat services] ******************************
fatal: [controller01_heat_api_container-bd6c1c98]: FAILED! => {"msg": "'heat_uwsgi_bin' is undefined"}

The task "Distribute self signed ssl cert" notify's the handler. But some how the heat_uwsgi_bin variable isn't loaded

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible-os_heat (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/672948

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible-os_heat (master)

Reviewed: https://review.opendev.org/672948
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_heat/commit/?id=288634ce0bf042bed614b3f764753d7b65a7170f
Submitter: Zuul
Branch: master

commit 288634ce0bf042bed614b3f764753d7b65a7170f
Author: Jonathan Rosser <email address hidden>
Date: Fri Jul 26 11:20:48 2019 +0100

    Fix keystone endpoint for heat servers

    This patch changes the heat config so that communication between
    the heat service and the other internal parts of openstack occurs over
    the internal API endpoint, but a new heat configuration option [1] is set
    which ensures that the keystone endpoint written into server configs
    points to the external API endpoint.

    This should address several long running SSL related failures when self
    signed certificates are used, and allows heat to work correctly when the
    internal and external endpoints are on different networks.

    Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6
    Fixes-Bug: 1811086
    Fixes-Bug: 1820591
    Related-Bug: 1824646
    Related-Bug: 1814909
    Depends-On: https://review.opendev.org/678062

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible-os_heat (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/688895

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible-os_heat (stable/stein)

Reviewed: https://review.opendev.org/688895
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_heat/commit/?id=eccb5c13fec9d9efcccb821dbcf0f344cd515eec
Submitter: Zuul
Branch: stable/stein

commit eccb5c13fec9d9efcccb821dbcf0f344cd515eec
Author: Jonathan Rosser <email address hidden>
Date: Fri Jul 26 11:20:48 2019 +0100

    Fix keystone endpoint for heat servers

    This patch changes the heat config so that communication between
    the heat service and the other internal parts of openstack occurs over
    the internal API endpoint, but a new heat configuration option [1] is set
    which ensures that the keystone endpoint written into server configs
    points to the external API endpoint.

    This should address several long running SSL related failures when self
    signed certificates are used, and allows heat to work correctly when the
    internal and external endpoints are on different networks.

    Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6
    Fixes-Bug: 1811086
    Fixes-Bug: 1820591
    Related-Bug: 1824646
    Related-Bug: 1814909
    Depends-On: https://review.opendev.org/688894
    (cherry picked from commit 288634ce0bf042bed614b3f764753d7b65a7170f)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible-os_heat (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/705555

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-os_heat (stable/rocky)

Change abandoned by Shannon Mitchell (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/705555
Reason: Submitting a separate bug just for the public/private url fix.

Dmitriy Rabotyagov (noonedeadpunk)
Changed in openstack-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.