tripleo

tls-everywhere is breaking on missing /etc/pki/CA - rhel8

Bug #1821139 reported by Michele Baldessari
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Juan Antonio Osorio Robles
tripleo train-1

Bug Description

       "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I libvirt-vnc-client-cert -f /etc/pki/libvirt-vnc/client-cert.pem -c IPA -N CN=controller-2.internalapi.redhat.local -K libvirt-vnc/controller-2.internalapi.redhat.local -D controller-2.in
ternalapi.redhat.local -C systemctl reload libvirtd -w -k /etc/pki/libvirt-vnc/client-key.pem -F /etc/pki/CA/certs/vnc.crt' returned 1: Path \"/etc/pki/CA/certs\": No such file or directory.",
        "Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-client-cert]/Certmonger_certificate[libvirt-vnc-client-cert]: Could not evaluate: The certificate 'libvirt-vnc-client-cert' wasn't found in the list.",
        "Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-client-cert]/File[/etc/pki/CA/certs/vnc.crt]: Skipping because of failed dependencies",
        "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Libvirt_vnc/File[/etc/pki/libvirt-vnc/ca-cert.pem]: Skipping because of failed dependencies",

I wonder if the following paths are correct:
/usr/share/openstack-tripleo-heat-templates/deployment/nova/nova-libvirt-container-puppet.yaml: default: '/etc/pki/CA/certs/vnc.crt'
/usr/share/openstack-tripleo-heat-templates/deployment/nova/nova-libvirt-container-puppet.yaml: default: '/etc/pki/CA/certs/qemu.pem'
/usr/share/openstack-tripleo-heat-templates/deployment/nova/nova-vnc-proxy-container-puppet.yaml: default: '/etc/pki/CA/certs/vnc.crt'

I do not have /etc/pki/CA folder in my env

on osp14/rhel7:
# rpm -qf /etc/pki/CA
openssl-1.0.2k-16.el7_6.1.x86_64

./CA
./CA/certs
./CA/certs/vnc.crt
./CA/newcerts
./CA/crl
./CA/crl/overcloud-crl.bin
./CA/crl/overcloud-crl.pem
./CA/private

Revision history for this message
Michele Baldessari (michele) wrote :

puppet-nova https://review.openstack.org/#/c/645071/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/645072

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/645082

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/645083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/645498

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-puppet-elements (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/645501

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/645548

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-puppet-elements (master)

Reviewed: https://review.openstack.org/645501
Committed: https://git.openstack.org/cgit/openstack/tripleo-puppet-elements/commit/?id=47f2a759e4569595f3e32676df661fd9f8f559e1
Submitter: Zuul
Branch: master

commit 47f2a759e4569595f3e32676df661fd9f8f559e1
Author: Martin Schuppert <email address hidden>
Date: Fri Mar 22 09:38:29 2019 +0100

    Add openssl-perl to overcloud image to provide /etc/pki/CA in TLS setup

    This directory is no longer available in CentOS 8 with base openssl package.
    Libvirt still has the default to /etc/pki/CA for some TLS settings. Lets add
    openssl-perl to get /etc/pki/CA and keep defaults where possible.

    Change-Id: I8b50a4c79fca19106d752ad50956164a590e8f38
    Related-Bug: #1821139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/645548
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b3ce4f00b47522592afae2438c05fa03d7483305
Submitter: Zuul
Branch: master

commit b3ce4f00b47522592afae2438c05fa03d7483305
Author: Martin Schuppert <email address hidden>
Date: Fri Mar 22 12:56:09 2019 +0100

    Make sure openssl-perl is installed on split stack tls-everywhere deployments

    Directory /etc/pki/CA is no longer available in CentOS 8 with base openssl
    package. Libvirt still has the default to /etc/pki/CA for some TLS settings.
    Lets add openssl-perl to get /etc/pki/CA and keep defaults where possible.

    The package gets added to overcloud image and container via:
    https://review.openstack.org/645498
    https://review.openstack.org/645501

    This check is mainly to make sure the package is also installed on
    split stack deployments.

    Change-Id: Id81ad942db6b193ab8b1dad537c65249348714d8
    Related-Bug: #1821139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/645498
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=388a42774a073220f8d28a722474c75c4e60ed24
Submitter: Zuul
Branch: master

commit 388a42774a073220f8d28a722474c75c4e60ed24
Author: Martin Schuppert <email address hidden>
Date: Fri Mar 22 09:18:59 2019 +0100

    Add openssl-perl to provide /etc/pki/CA in TLS setup

    This directory is no longer available in CentOS 8 with base openssl package.
    Libvirt still has the default to /etc/pki/CA for some TLS settings. Lets add
    openssl-perl to get /etc/pki/CA and keep defaults where possible.

    Change-Id: Ib641ef5a7971a31fbe709e404e0194156ec2aa33
    Related-Bug: #1821139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/645083
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e177129e59eace0cbc3bfa638ca9f3d06ca1e68d
Submitter: Zuul
Branch: master

commit e177129e59eace0cbc3bfa638ca9f3d06ca1e68d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 21 11:22:33 2019 +0200

    Stop creating symlinks for lbivirt's CA files

    These were used in baremetal deployments, but are unused in
    containerized deployments. We bind-mount the CA files instead of
    creating symlinks nowadays.

    Change-Id: Ib05f2bc4be9987b222cef78541fe05988cd8c0a4
    Related-Bug: #1821139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (master)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: master
Review: https://review.openstack.org/645082

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: master
Review: https://review.openstack.org/645072

Alex Schultz (alex-schultz)
Changed in tripleo:
importance: Undecided → Medium
status: In Progress → Fix Released
milestone: none → train-1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.