tripleo

zaqar websocket SSL cert name is hardcoded

Bug #1817634 reported by Mike Bayer
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo stein-3

Bug Description

in bug 1791970 / https://review.openstack.org/#/c/601677/ the path to the CA cert used by zaqar is hardcoded to /etc/pki/ca-trust/source/anchors/cm-local-ca.pem. this conflicts with the use case when one is using the "undercloud_service_certificate" parameter in undercloud.conf which seemingly should set up a different path for this. I'm observing the use of this parameter when using infrared to generate an RDO undercloud.

Per https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/ssl.html, "However, it is possible to not use certmonger’s local CA.". When I use infrared to make an undercloud, it creates a new self-signed CA defaulting to /etc/pki/ca-trust/source/anchors/undercloud-cacert.pem; this code is at https://github.com/redhat-openstack/infrared/blob/master/plugins/tripleo-undercloud/tasks/ssl.yml#L32 . Then it sets "undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem" in undercloud.conf and deploys the undercloud, following the instructions in https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/ssl.html.

However, when I go to introspect nodes, I get the stack trace described in bug 1791970:

Could not establish a connection to the Zaqar websocket. The command was sent but the answer could not be read.
# ...
 File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

to repair this, I just copy the undercloud-cacert.pem on top of the cm-local-ca.pem file:

[root@undercloud-0 ~]# cd /etc/pki/ca-trust/source/anchors/
[root@undercloud-0 anchors]# ls
cm-local-ca.pem undercloud-cacert.pem
[root@undercloud-0 anchors]# cp cm-local-ca.pem cm-local-ca.pem.saved
[root@undercloud-0 anchors]# cp undercloud-cacert.pem cm-local-ca.pem
cp: overwrite ‘cm-local-ca.pem’? y

I'm not sure how this should work, if tripleo is doing the wrong thing or if infrared is but it seems one side or the other needs to be changed.

Emilien Macchi (emilienm)
Changed in tripleo:
status: New → Triaged
importance: Undecided → High
milestone: none → stein-3
Revision history for this message
Emilien Macchi (emilienm) wrote :

It seems like a new parameter undercloud_service_ca_certificate should be created to allow an operator to change the CA cert path (here infrared).

Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

That path should come from OS_CACERT; and not be hardcoded.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/642374

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/642374
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=24ac1f137c7bf03b4e6310d65344374695498d89
Submitter: Zuul
Branch: master

commit 24ac1f137c7bf03b4e6310d65344374695498d89
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Mar 11 09:53:06 2019 +0200

    Use OS_CACERT for zaqar's websocket connection

    The CA certificatge was hardcoded. This was not the right thing to do,
    since we do have the ability to provide our own cert for TripleO.

    python-openstackclient already has a way for us to know what certificate
    was used. This is provided via the OS_CACERT environment variable (or
    the --os-cacert command line argument). So we use this instead.

    Change-Id: Ib7b3860378fce2cda7f80c1ad8b8dd14a4b22581
    Closes-Bug: #1817634

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-tripleoclient 11.4.0

This issue was fixed in the openstack/python-tripleoclient 11.4.0 release.

Revision history for this message
Tal Liron (emblem-parade) wrote :

How can I install it in InfraRed? I tried "--from-source name=openstack/python-tripleoclient" but am getting Delorian build errors.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/655626

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (stable/rocky)

Reviewed: https://review.opendev.org/655626
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=ba03c5e11a76c96837652bac294b0ddf4ea68782
Submitter: Zuul
Branch: stable/rocky

commit ba03c5e11a76c96837652bac294b0ddf4ea68782
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Mar 11 09:53:06 2019 +0200

    Use OS_CACERT for zaqar's websocket connection

    The CA certificatge was hardcoded. This was not the right thing to do,
    since we do have the ability to provide our own cert for TripleO.

    python-openstackclient already has a way for us to know what certificate
    was used. This is provided via the OS_CACERT environment variable (or
    the --os-cacert command line argument). So we use this instead.

    Change-Id: Ib7b3860378fce2cda7f80c1ad8b8dd14a4b22581
    Closes-Bug: #1817634
    (cherry picked from commit 24ac1f137c7bf03b4e6310d65344374695498d89)

tags: added: in-stable-rocky
Bogdan Dobrelya (bogdando)
tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/664279

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (stable/queens)

Reviewed: https://review.opendev.org/664279
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=d38a5c1dc73838bcce044fa79206906dbc999155
Submitter: Zuul
Branch: stable/queens

commit d38a5c1dc73838bcce044fa79206906dbc999155
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Mar 11 09:53:06 2019 +0200

    Use OS_CACERT for zaqar's websocket connection

    The CA certificatge was hardcoded. This was not the right thing to do,
    since we do have the ability to provide our own cert for TripleO.

    python-openstackclient already has a way for us to know what certificate
    was used. This is provided via the OS_CACERT environment variable (or
    the --os-cacert command line argument). So we use this instead.

    Change-Id: Ib7b3860378fce2cda7f80c1ad8b8dd14a4b22581
    Closes-Bug: #1817634
    (cherry picked from commit 24ac1f137c7bf03b4e6310d65344374695498d89)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-tripleoclient 10.7.0

This issue was fixed in the openstack/python-tripleoclient 10.7.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-tripleoclient 9.3.0

This issue was fixed in the openstack/python-tripleoclient 9.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.