apache element SSL cert check fails

Bug #1318767 reported by Trent Geerdes on 2014-05-12
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Low
Unassigned

Bug Description

On Saucy and Debian the apache image element check of the SSL cert fails every run of os-refresh-config though it checks out fine with command us ran manually on node.

dib-run-parts Mon May 12 18:19:45 UTC 2014 Running /opt/stack/os-config-refresh/post-configure.d/15-apache2
+ '[' -f /etc/debian_version ']'
+ openssl_cmd=openssl
+ cert_create_cmd='make-ssl-cert generate-default-snakeoil --force-overwrite'
+ snakeoil_pem_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+ '[' -f /etc/ssl/certs/ssl-cert-snakeoil.pem ']'
+ cert_chk_cmd='openssl x509 -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem'
+ exit_error=0
++ openssl x509 -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem
unable to load certificate
140565858223808:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
+ cmd_run=
+ exit_error=1
+ '[' 1 -ne 0 ']'
+ exit_error=0
++ make-ssl-cert generate-default-snakeoil --force-overwrite
+ cmd_run=
+ '[' 0 -eq 0 ']'
+ cmd='a2enmod ssl'
++ a2enmod ssl
+ cmd_run='Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled

root@undercloud-undercloud-3r7avkjrnfzt:/var/log/upstart# openssl x509 -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem
root@undercloud-undercloud-3r7avkjrnfzt:/var/log/upstart#

Trent Geerdes (trent-geerdes) wrote :

Running the element script as root on the node doesn't trigger the cert failure either.

root@overcloud-controller0-jpialqhpnhjq:~# /opt/stack/os-config-refresh/post-configure.d/15-apache2
+ '[' -f /etc/debian_version ']'
+ openssl_cmd=openssl
+ cert_create_cmd='make-ssl-cert generate-default-snakeoil --force-overwrite'
+ snakeoil_pem_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+ '[' -f /etc/ssl/certs/ssl-cert-snakeoil.pem ']'
+ cert_chk_cmd='openssl x509 -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem'
+ exit_error=0
++ openssl x509 -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem
+ cmd_run=
+ '[' 0 -ne 0 ']'
+ '[' 0 -eq 0 ']'
+ cmd='a2enmod ssl'
++ a2enmod ssl
+ cmd_run='Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled'
+ '[' 0 -eq 0 ']'
+ cmd='a2ensite default-ssl'
++ a2ensite default-ssl
+ cmd_run='Site default-ssl already enabled'
+ '[' 0 -ne 0 ']'
+ '[' -f /etc/debian_version ']'
+ service apache2 reload
[ ok ] Reloading web server: apache2.

description: updated
Adam Vinsh (adam-vinsh) wrote :

Reproduced on my system as well. File appears to be empty before this section runs.

dib-run-parts Thu May 15 18:08:49 UTC 2014 Running /opt/stack/os-config-refresh/post-configure.d/15-apache2
+ echo adam
adam
+ ls -lh /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 0 May 15 18:08 /etc/ssl/certs/ssl-cert-snakeoil.pem
+ cat /etc/ssl/certs/ssl-cert-snakeoil.pem
+ who
heat-admin pts/21 2014-05-15 17:36 (192.168.122.1)
heat-admin pts/22 2014-05-15 17:51 (192.168.122.1)

So it fails to verify.. and regenerates.

Adam Vinsh (adam-vinsh) wrote :
Download full text (3.9 KiB)

os-apply-config seems to be zeroing the file out on every run

root@overcloud-controller0-dmzu4svfkdxo:~# ls -lh /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 0 May 15 18:12 /etc/ssl/certs/ssl-cert-snakeoil.pem
root@overcloud-controller0-dmzu4svfkdxo:~# make-ssl-cert generate-default-snakeoil --force-overwrite
root@overcloud-controller0-dmzu4svfkdxo:~# ls -lh /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 1.1K May 15 18:12 /etc/ssl/certs/ssl-cert-snakeoil.pem
root@overcloud-controller0-dmzu4svfkdxo:~# os-apply-config
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/neutron.conf
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/var/lib/rabbitmq/.erlang.cookie
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[2014/05/15 06:12:45 PM] [INFO] writing /etc/glance/glance-cache.conf
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/mysql/static-dbusers.json
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/mysql/conf.d/README
[2014/05/15 06:12:45 PM] [INFO] writing /etc/nova/nova.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/ssl/private/ssl-cert-snakeoil.key
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/mysql/my.cnf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/plugins/ml2/ml2_conf.ini
[2014/05/15 06:12:45 PM] [INFO] writing /etc/rabbitmq/rabbitmq.config
[2014/05/15 06:12:45 PM] [INFO] writing /etc/os-collect-config.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/metadata_agent.ini
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/dnsmasq/dnsmasq-neutron.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/cinder/shares.txt
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/dhcp_agent.ini
[2014/05/15 06:12:45 PM] [INFO] writing /etc/heat/heat.conf
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/root/metadata.my.cnf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/ntp.conf
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/mysql/conf.d/cluster.cnf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/ssl/certs/ssl-cert-snakeoil.pem
[2014/05/15 06:12:45 PM] [INFO] writing /etc/keystone/keystone.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/swift/account-server.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/glance/glance-scrubber.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/default/snmpd
[2014/05/15 06:12:45 PM] [INFO] writing /etc/glance/glance-registry.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/horizon/.secret_key_store
[2014/05/15 06:12:45 PM] [INFO] writing /etc/glance/glance-api.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/swift/object-server.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/cinder/cinder.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/snmp/snmpd.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/rsyncd.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/swift/proxy-server.conf
[2014/05/15 06:12:45 PM] [INFO] writing /etc/neutron/rootwrap.conf
[2014/05/15 06:12:45 PM] [INFO] writing /root/stackrc
[2014/05/15 06:12:45 PM] [INFO] writing /etc/rabbitmq/heat_password_handle
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/mysql/debian.cnf
[2014/05/15 06:12:45 PM] [INFO] writing /mnt/state/etc/...

Read more...

Trent Geerdes (trent-geerdes) wrote :

os-apply-config is creating a zero byte cert file on each run.

apache2/os-apply-config/etc/ssl/certs/ssl-cert-snakeoil.pem

Trent Geerdes (trent-geerdes) wrote :

We aren't supplying one via heat so is the intended behavior to recreate the cert everytime os-refresh-config runs?

Steve Kowalik (stevenk) on 2014-05-29
Changed in tripleo:
status: New → Confirmed
importance: Undecided → High
Brent Eagles (beagles) on 2016-05-27
Changed in tripleo:
importance: High → Low
Brent Eagles (beagles) wrote :

I'm setting this to incomplete as this might be a duplicate of https://bugs.launchpad.net/tripleo/+bug/1318761 and has already been addressed. Debian support is also not be actively worked on.

Changed in tripleo:
status: Confirmed → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for tripleo because there has been no activity for 60 days.]

Changed in tripleo:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers