c9s: ssh via floating ip fails with openssl-3.0.1-12

Bug #1962507 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-openstack-integration
Fix Released
Critical
Unassigned

Bug Description

Currently tempest tests are always failing in CentOS 9 Stream integration job, because of the failure with ssh connection via floating ip.

The same issue was earlier reported in TripleO.

https://bugs.launchpad.net/tripleo/+bug/1962298

description: updated
Changed in puppet-openstack-integration:
importance: Undecided → Critical
Revision history for this message
Takashi Kajinami (kajinamit) wrote (last edit ):

It looks like ssh + rsa key doesn't work with the latest openssl,
and it's likely that the issue is related to the recent change to disable SHA1 by default.

https://centos.pkgs.org/9-stream/centos-baseos-x86_64/openssl-3.0.1-12.el9.x86_64.rpm.html

~~~
2022-02-24 - Peter Robinson <email address hidden> - 1:3.0.1-12
- Support KBKDF (NIST SP800-108) with an R value of 8bits
- Resolves: rhbz#2027261

2022-02-23 - Clemens Lang <email address hidden> - 1:3.0.1-11
- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
- Resolves: rhbz#2031742

2022-02-23 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-10
- rebuilt

2022-02-22 - Clemens Lang <email address hidden> - 1:3.0.1-9
- Allow SHA1 usage in HMAC in TLS
- Resolves: rhbz#2031742

2022-02-22 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-8
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
- Resolves: rhbz#1977867
- pkcs12 export broken in FIPS mode
- Resolves: rhbz#2049265

2022-02-22 - Clemens Lang <email address hidden> - 1:3.0.1-8
- Disable SHA1 signature creation and verification by default
- Set rh-allow-sha1-signatures = yes to re-enable
- Resolves: rhbz#2031742

2022-02-03 - Sahana Prasad <email address hidden> - 1:3.0.1-7
- s_server: correctly handle 2^14 byte long records
- Resolves: rhbz#2042011

2022-02-01 - Dmitry Belyavskiy <email address hidden> - 1:3.0.1-6
- Adjust FIPS provider version
- Related: rhbz#2026445
~~~~

I've tested the ecdsa key and now ssh succeeds during tempest tests.

 https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831322

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (master)
Changed in puppet-openstack-integration:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831337
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/01fd062068f21c117c64a668b7ff693c0cb1c2af
Submitter: "Zuul (22348)"
Branch: master

commit 01fd062068f21c117c64a668b7ff693c0cb1c2af
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831336
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5

Changed in puppet-openstack-integration:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-openstack-integration (master)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-openstack-integration (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/831765
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/f7ba5e33bbb7fb899e5615cb5da33eedbe6ce70f
Submitter: "Zuul (22348)"
Branch: master

commit f7ba5e33bbb7fb899e5615cb5da33eedbe6ce70f
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 17:06:29 2022 +0000

    Revert "Revert "Make CentOS 9 integration jobs voting""

    This reverts commit 7e2afcda8f498a34519e866f091deacfa5da07f5.

    Reason for revert:
    The broken jobs have been fixed.

    Related-Bug: #1962506
    Related-Bug: #1962507
    Change-Id: Ie8091933acbab967d2f386b4cab52f3716b49c1b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (stable/xena)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-integration (stable/wallaby)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833004
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/b4c2c9d56aa1e0bc5ca0e9a031a02b598f19349b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit b4c2c9d56aa1e0bc5ca0e9a031a02b598f19349b
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Conflicts:
            manifests/tempest.pp

    Backport note:
    - RDO runs p-o-i scenarios on wallaby branch with CentOS Stream 9. This
      change is backported so that the same manifests can be leveraged in
      RDO CI.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831782
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5
    (cherry picked from commit 01fd062068f21c117c64a668b7ff693c0cb1c2af)
    (cherry picked from commit 4d59fa171fa0e4826436f4a46201a0d35eb20d3f)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-openstack-integration (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/833002
Committed: https://opendev.org/openstack/puppet-openstack-integration/commit/4d59fa171fa0e4826436f4a46201a0d35eb20d3f
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 4d59fa171fa0e4826436f4a46201a0d35eb20d3f
Author: Takashi Kajinami <email address hidden>
Date: Tue Mar 1 14:47:55 2022 +0900

    Use ecdsa key in CentOS 9 Stream

    ... as rsa key no longer works with the latest openssl in CentOS 9
    Stream repo.

    Conflicts:
            manifests/tempest.pp

    Backport note:
    - RDO runs p-o-i scenarios on xena branch with CentOS Stream 9. This
      change is backported so that the same manifests can be leveraged in
      RDO CI.

    Closes-Bug: #1962507
    Depends-on: https://review.opendev.org/831756
    Change-Id: I7a9a35a263d510301e437e84f7f7c56961977cf5
    (cherry picked from commit 01fd062068f21c117c64a668b7ff693c0cb1c2af)

tags: added: in-stable-xena
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers