zaqar websocket SSL cert name is hardcoded

Bug #1817634 reported by Mike Bayer on 2019-02-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

in bug 1791970 / https://review.openstack.org/#/c/601677/ the path to the CA cert used by zaqar is hardcoded to /etc/pki/ca-trust/source/anchors/cm-local-ca.pem. this conflicts with the use case when one is using the "undercloud_service_certificate" parameter in undercloud.conf which seemingly should set up a different path for this. I'm observing the use of this parameter when using infrared to generate an RDO undercloud.

Per https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/ssl.html, "However, it is possible to not use certmonger’s local CA.". When I use infrared to make an undercloud, it creates a new self-signed CA defaulting to /etc/pki/ca-trust/source/anchors/undercloud-cacert.pem; this code is at https://github.com/redhat-openstack/infrared/blob/master/plugins/tripleo-undercloud/tasks/ssl.yml#L32 . Then it sets "undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem" in undercloud.conf and deploys the undercloud, following the instructions in https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/ssl.html.

However, when I go to introspect nodes, I get the stack trace described in bug 1791970:

Could not establish a connection to the Zaqar websocket. The command was sent but the answer could not be read.
# ...
 File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

to repair this, I just copy the undercloud-cacert.pem on top of the cm-local-ca.pem file:

[root@undercloud-0 ~]# cd /etc/pki/ca-trust/source/anchors/
[root@undercloud-0 anchors]# ls
cm-local-ca.pem undercloud-cacert.pem
[root@undercloud-0 anchors]# cp cm-local-ca.pem cm-local-ca.pem.saved
[root@undercloud-0 anchors]# cp undercloud-cacert.pem cm-local-ca.pem
cp: overwrite ‘cm-local-ca.pem’? y

I'm not sure how this should work, if tripleo is doing the wrong thing or if infrared is but it seems one side or the other needs to be changed.

Changed in tripleo:
status: New → Triaged
importance: Undecided → High
milestone: none → stein-3
Emilien Macchi (emilienm) wrote :

It seems like a new parameter undercloud_service_ca_certificate should be created to allow an operator to change the CA cert path (here infrared).

That path should come from OS_CACERT; and not be hardcoded.

Fix proposed to branch: master
Review: https://review.openstack.org/642374

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/642374
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=24ac1f137c7bf03b4e6310d65344374695498d89
Submitter: Zuul
Branch: master

commit 24ac1f137c7bf03b4e6310d65344374695498d89
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Mar 11 09:53:06 2019 +0200

    Use OS_CACERT for zaqar's websocket connection

    The CA certificatge was hardcoded. This was not the right thing to do,
    since we do have the ability to provide our own cert for TripleO.

    python-openstackclient already has a way for us to know what certificate
    was used. This is provided via the OS_CACERT environment variable (or
    the --os-cacert command line argument). So we use this instead.

    Change-Id: Ib7b3860378fce2cda7f80c1ad8b8dd14a4b22581
    Closes-Bug: #1817634

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-tripleoclient 11.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers