tripleo

Renewing overcloud SSL certificate fails

Bug #1629886 reported by Marius Cornea
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo newton-rc3 "newton-rc3"

Bug Description

Description of problem:
Renewing overcloud SSL certificate fails

How reproducible:
100%

Steps to Reproduce:
1. Deploy SSL enabled overcloud with pacemaker
2. Regenerate SSL certificate/key and update the undercloud system store
3. Deploy overcloud with updated certificate and key

Actual results:
Deployment finishes but certificate validation fails when calling keystone api:

SSL exception connecting to https://172.16.18.25:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Expected results:
The keystone api succeeds as the undercloud certificate store has been updated with the new certificate.

Additional info:
After doing pcs resource restart haproxy on one of the controller the connection is successful so it seems we're missing a haproxy reload step when the certificate is updated.

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
milestone: none → newton-rc3
importance: Undecided → Critical
importance: Critical → High
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/381136

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/381136
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b74b6793d28beb67d63eb1eafa9ed36ed4e92335
Submitter: Jenkins
Branch: master

commit b74b6793d28beb67d63eb1eafa9ed36ed4e92335
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 3 16:56:21 2016 +0300

    reload HAProxy config in HA setups when certificate is updated

    When updating a certificate for HAProxy, we only do a reload of the
    configuration on non-HA setups. This means that if we try the same in
    an HA setup, the cloud will still serve the old certificate and that
    leads to several issues, such as serving a revoked or even a
    compromised certificate for some time, or just SSL issues that the
    certificate doesn't match. This enables a reload for HA cases too.

    Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
    Closes-Bug: #1629886

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/381374

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/381374
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bb555cf3fe05e630ca037ccbc1fc85a303e36ef3
Submitter: Jenkins
Branch: stable/newton

commit bb555cf3fe05e630ca037ccbc1fc85a303e36ef3
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 3 16:56:21 2016 +0300

    reload HAProxy config in HA setups when certificate is updated

    When updating a certificate for HAProxy, we only do a reload of the
    configuration on non-HA setups. This means that if we try the same in
    an HA setup, the cloud will still serve the old certificate and that
    leads to several issues, such as serving a revoked or even a
    compromised certificate for some time, or just SSL issues that the
    certificate doesn't match. This enables a reload for HA cases too.

    Change-Id: Ib8ca2fe91be345ef4324fc8265c45df8108add7a
    Closes-Bug: #1629886
    (cherry picked from commit b74b6793d28beb67d63eb1eafa9ed36ed4e92335)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.0.0.0rc3

This issue was fixed in the openstack/tripleo-heat-templates 5.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.0.0

This issue was fixed in the openstack/tripleo-heat-templates 5.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.