On queens tls-everywhere FS039 fails because the certs fail to retrieve [1]:
Mar 19 13:49:03 overcloud-controller-0.ooo.test puppet-user[25012]: Could not get certificate: Execution of '/usr/bin/getcert request -I mysql -f /etc/pki/tls/certs/mysql.crt -c IPA -N CN=overcloud.internalapi.ooo.test -K mysql/overcloud.internalapi.ooo.test -D overcloud.internalapi.ooo.test -D overcloud-controller-0.internalapi.ooo.test -C systemctl reload mariadb -w -k /etc/pki/tls/private/mysql.key' returned 3: New signing request "mysql" added.
Mar 19 13:49:03 overcloud-controller-0.ooo.test puppet-user[25012]: (/Stage[main]/Tripleo::Certmonger::Mysql/Certmonger_certificate[mysql]) Could not evaluate: Could not get certificate: Server at https://ipa.ooo.test/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Could not resolve host: ipa.ooo.test; Unknown error).
When we check the reslove.conf we see that the ipa servers is not set as the DNS server [2]:
; generated by /usr/sbin/dhclient-script
search ooo.test
nameserver 8.8.8.8
nameserver 8.8.4.4
Note: its set in resolv.conf.save.gz
Its also set in zuul/network-environment.yaml [3], but we don't add that parameter file in the overcloud-deploy.sh . Should this be added to https://github.com/openstack/tripleo-quickstart/blob/master/config/general_config/featureset039.yml#L56 ?
[1] http://logs.rdoproject.org/48/644548/1/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp_1supp-featureset039/7761330/logs/overcloud-controller-0/var/log/journal.txt.gz
[2] http://logs.rdoproject.org/48/644548/1/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp_1supp-featureset039/7761330/logs/overcloud-controller-0/etc/resolv.conf.txt.gz
[3] http://logs.rdoproject.org/48/644548/1/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp_1supp-featureset039/7761330/logs/undercloud/home/zuul/network-environment.yaml.txt.gz
marking incomplete due to tls support on queens.