openstack commands on the undercloud fail with (Caused by SSLError(PermissionError(13, 'Permission denied'),))

Bug #1788257 reported by Alex Schultz on 2018-08-21
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tripleo
Medium
Juan Antonio Osorio Robles

Bug Description

After installing an undercloud on fedora28 and trying to

(undercloud) [stack@node ~]$ openstack endpoint list
Failed to discover available identity versions when contacting https://192.168.24.2:13000/. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000/: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(PermissionError(13, 'Permission denied'),))

I traced this back to the cm-local-ca.pem file being too restricted.

(undercloud) [stack@undercloud ~]$ ls -al /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
-rw-------. 1 root root 1577 Aug 21 17:46 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

Workaround:
  sudo chmod a+r /etc/pki/ca-trust/source/anchors/cm-local-ca.pem

Changed in tripleo:
milestone: stein-1 → stein-2
Changed in tripleo:
milestone: stein-2 → stein-3

Fix proposed to branch: master
Review: https://review.openstack.org/631210

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/631210
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5d6201f9fc97c525913e1aded8edd85de60ab528
Submitter: Zuul
Branch: master

commit 5d6201f9fc97c525913e1aded8edd85de60ab528
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

    Explicitly set certmonger's CA cert's permissions

    We were relying on the default permissions that were being set by the
    command that extracts the certificate into a PEM file. This wasn't the
    right approach, as it could be too restrictive in some setups.

    Here, we explicitly tell puppet to set the appropriate permissions
    instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

    Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
    Closes-bug: #1788257

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/631512
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=035c834e029cf317ac9bf14011faa7aac28b4a39
Submitter: Zuul
Branch: stable/rocky

commit 035c834e029cf317ac9bf14011faa7aac28b4a39
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

    Explicitly set certmonger's CA cert's permissions

    We were relying on the default permissions that were being set by the
    command that extracts the certificate into a PEM file. This wasn't the
    right approach, as it could be too restrictive in some setups.

    Here, we explicitly tell puppet to set the appropriate permissions
    instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

    Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
    Closes-bug: #1788257
    (cherry picked from commit 5d6201f9fc97c525913e1aded8edd85de60ab528)

tags: added: in-stable-rocky
tags: added: in-stable-queens

Reviewed: https://review.openstack.org/631513
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=dd92d595daabc7d284b3a131cd1ebfe97985120d
Submitter: Zuul
Branch: stable/queens

commit dd92d595daabc7d284b3a131cd1ebfe97985120d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Jan 16 14:43:54 2019 +0200

    Explicitly set certmonger's CA cert's permissions

    We were relying on the default permissions that were being set by the
    command that extracts the certificate into a PEM file. This wasn't the
    right approach, as it could be too restrictive in some setups.

    Here, we explicitly tell puppet to set the appropriate permissions
    instead.

    Given this is a certificate file, and there's no private key involved,
    we can set it as world readable (0644). As folks in the system need to
    access the file.

    Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
    Closes-bug: #1788257
    (cherry picked from commit 5d6201f9fc97c525913e1aded8edd85de60ab528)

This issue was fixed in the openstack/puppet-tripleo 8.4.0 release.

This issue was fixed in the openstack/puppet-tripleo 10.3.0 release.

This issue was fixed in the openstack/puppet-tripleo 9.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers