tripleo

Q->R uc upgrade failed: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt

Bug #1785059 reported by Yurii Prokulevych
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo rocky-rc1

Bug Description

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=1611569.

Upgrade from non-containerized to containerized uc with custom ssl cert failed:

openstack undercloud upgrade --use-heat -y
...
  "++ awk '$2==\"id\" {print $4}'",
  "Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt",
  "+ openstack quota set --cores -1 --instances -1 --ram -1",
  "Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ipa/ca.crt",
  "[2018-08-02 06:29:21,413] (heat-config) [ERROR] Error running /var/lib/heat-config/heat-config-script/1271ec8d-2e40-4054-b3f1-b0ae084d9e89. [1]",

Virtual deployment, undercloud with SSL.
This patch applied before upgrade to use existing ssl cert and not generate new one - https://review.openstack.org/#/c/587370/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/588245

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/588246

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → rocky-rc1
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/588252

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/588291

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-tripleoclient (master)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: master
Review: https://review.openstack.org/588252

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/588245
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b633eaf73ae31354b3796beda64ce81a6b841912
Submitter: Zuul
Branch: master

commit b633eaf73ae31354b3796beda64ce81a6b841912
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Aug 2 16:17:52 2018 +0300

    undercloud-post: Discard CA usage if not set

    If there is nothing set for the CA, discard the value. This way we can
    ignore this value when using trusted certificates.

    Change-Id: Ia0085c43fe9468cd1827f6e4ae39f48ce0e398b6
    Related-Bug: #1785059

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/588246
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=926866ca9f27f1508b2ae3484f5437d540f7c471
Submitter: Zuul
Branch: master

commit 926866ca9f27f1508b2ae3484f5437d540f7c471
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Aug 2 16:38:41 2018 +0300

    undercloud: Disable CA path if user-provided cert is used

    We assume that we're using a trusted cert, so we don't set the CA path.

    Closes-Bug: #1785059
    Depends-On: Ia0085c43fe9468cd1827f6e4ae39f48ce0e398b6
    Change-Id: I5d7f35194f98b2d5c06a417cac75d52ff646def0

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-tripleoclient 10.5.0

This issue was fixed in the openstack/python-tripleoclient 10.5.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.