tripleo

Standalone with ipa server jobs is failing with "Error: Evaluation Error: Error while evaluating a Function Call, The ssl_verify_client parameter is required when setting ssl_ca"

Bug #1900947 reported by Sandeep Yadav
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Takashi Kajinami
tripleo victoria-rc1 "tripleo-victoria-rc1"

Bug Description

Description:

periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-master is failing with "Error: Evaluation Error: Error while evaluating a Function Call, The ssl_verify_client parameter is required when setting ssl_ca" from 20th Oct.

Build history:
https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-master

Example: 1
https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-master/69f9165/logs/undercloud/home/zuul/standalone_deploy.log.txt.gz

~~~
[ERROR]: Container(s) which finished with wrong return code: ['container-
puppet-horizon']
~~~

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-master/69f9165/logs/undercloud/var/log/extra/podman/containers/container-puppet-horizon/stdout.log.txt.gz

~~~
<13>Oct 22 02:29:36 puppet-user: Error: Evaluation Error: Error while evaluating a Function Call, The ssl_verify_client parameter is required when setting ssl_ca (file: /etc/puppet/modules/horizon/manifests/wsgi/apache.pp, line: 187, column: 7) on node standalone-0.ooo.test
+ rc=1
+ '[' false = false ']'
+ set +x
~~~

Another Example:-

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-master/8ac4a55/logs/undercloud/var/log/extra/podman/containers/container-puppet-horizon/stdout.log.txt.gz

~~~
<13>Oct 20 02:26:11 puppet-user: Error: Evaluation Error: Error while evaluating a Function Call, The ssl_verify_client parameter is required when setting ssl_ca (file: /etc/puppet/modules/horizon/manifests/wsgi/apache.pp, line: 187, column: 7) on node standalone-0.ooo.test
+ rc=1
+ '[' false = false ']'
+ set +x
~~~

Revision history for this message
Sandeep Yadav (sandeepyadav93) wrote :

Looks like it started after merge of https://review.opendev.org/#/c/758032/.

Revision history for this message
Sagi (Sergey) Shnaidman (sshnaidm) wrote :

Seems like it's broken by https://review.opendev.org/#/c/758041/ Rename horizon_* ssl params to ssl_*

Revision history for this message
Sagi (Sergey) Shnaidman (sshnaidm) wrote :

Patches to fix:
 https://review.opendev.org/#/c/759143/ - Update horizon manifest to use new ssl variable names
 https://review.opendev.org/#/c/759144/ - Use the appropriate name for horizon ssl ca parameter

Changed in tripleo:
status: Triaged → In Progress
assignee: nobody → Lance Bragstad (lbragstad)
Revision history for this message
Takashi Kajinami (kajinamit) wrote :

I think the cause is not that one but this one.

https://review.opendev.org/#/c/758032/

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Sorry I remembered these patches incorrectly.
So the problem would be that https://review.opendev.org/#/c/758041/ made ssl_verify_client mandatory when ssl_ca is set. The reason of this change is described in https://review.opendev.org/#/c/758032/ .

I think we need to add ssl_verify_client in tht.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/759285

Changed in tripleo:
assignee: Lance Bragstad (lbragstad) → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/759285
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=132c0b1e792084664920fc8ac6c984cb4d1b823d
Submitter: Zuul
Branch: master

commit 132c0b1e792084664920fc8ac6c984cb4d1b823d
Author: Takashi Kajinami <email address hidden>
Date: Fri Oct 23 00:42:34 2020 +0900

    Add ssl_verify_client parameter for horizon

    The recent change in puppet-horizon[1] made the ssl_verify_client
    parameter mandatory when ssl_ca is set. This patch makes sure that
    the ssl_verify_client parameter is set properly.

    In addition, internal tls cert is not valid when internal tls is not
    enabled. This patch also addresses that point, and make ssl_ca is set
    only when needed.

    [1] https://review.opendev.org/#/c/758041/6

    Closes-Bug: #1900947
    Change-Id: I286f69b8d3775d7538685e799f092ce47b5d75a7

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.