tripleo

[TLS Everywhere] Syntax error in 15-horizon_ssl_vhost.conf SSLVerifyClient: Invalid argument 'true'

Bug #1904731 reported by Grzegorz Grasza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Grzegorz Grasza
tripleo wallaby-rc1

Bug Description

Description
===========
"Manage container systemd services and cleanup old systemd healthchecks for /var/lib/tripleo-config/container-startup-config/step_3" task fails with
"Service horizon has not started yet" on master.

Steps to reproduce
==================

Install or upgrade TripleO with TLS Everywhere enabled.

Expected result
===============

Deployment is successful.

Actual result
=============

Deployment fails with:

2020-11-17 15:19:34,314 p=14394 u=stack n=ansible | 2020-11-17 15:19:34.312912 | fa163ea7-b5c6-33ba-c416-0000000047e8 | FATAL | Manage container systemd services and cleanup old systemd healthchecks for /var/lib/tripleo-config/container-startup-config/step_3 | controller-0 | error={"changed": false, "msg": "Service horizon has not started yet"}

Environment
===========

This happened to me when doing a re-deploy on master.

Logs & Configs
==============

On further inspection, heat container fails with:
2020-11-17T15:19:39.277731792+00:00 stderr F + exec /usr/sbin/httpd -DFOREGROUND
2020-11-17T15:19:39.306252757+00:00 stderr F AH00526: Syntax error on line 37 of /etc/httpd/conf.d/15-horizon_ssl_vhost.conf:
2020-11-17T15:19:39.306252757+00:00 stderr F SSLVerifyClient: Invalid argument 'true'

/var/lib/config-data/puppet-generated/horizon/etc/httpd/conf.d/15-horizon_ssl_vhost.conf
contains the error, which is configured in horizon-container-puppet.yaml:
horizon::ssl_verify_client: true

As per documentation, this should be one of none, optional, require or optional_no_ca:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLVerifyClient

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/763172

Changed in tripleo:
assignee: nobody → Grzegorz Grasza (xek)
status: New → In Progress
Revision history for this message
Grzegorz Grasza (xek) wrote :

It looks like the bug was introduced in https://review.opendev.org/#/c/758032/ so the fix should be backported to all of the releases it was cherry-picked to.

summary: - TLS Everywhere Syntax error 15-horizon_ssl_vhost.conf SSLVerifyClient:
- Invalid argument 'true'
+ [TLS Everywhere] Syntax error in 15-horizon_ssl_vhost.conf
+ SSLVerifyClient: Invalid argument 'true'
Revision history for this message
Grzegorz Grasza (xek) wrote :

In t-h-t it was introduced in https://review.opendev.org/#/c/759285/

There is a "revert" of this patch, which doesn't really revert it:
https://review.opendev.org/#/c/759772/

Bogdan Dobrelya (bogdando)
Changed in tripleo:
milestone: none → wallaby-rc1
importance: Undecided → High
tags: added: queens-backport-potential train-backport-potential ussuri-backport-potential victoria-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/763172
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/d476a31a08687ec3203027441af2e09973be0e94
Submitter: Zuul
Branch: master

commit d476a31a08687ec3203027441af2e09973be0e94
Author: Grzegorz Grasza <email address hidden>
Date: Wed Nov 18 13:34:54 2020 +0100

    Fix the value of ssl_verify_client

    As per documentation, this should be one of
    none, optional, require or optional_no_ca:

    https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLVerifyClient

    Change-Id: Ia586151169e7f359a2a58a33b4ac9526d0113679
    Closes-bug: #1904731

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/763495

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 14.0.0

This issue was fixed in the openstack/tripleo-heat-templates 14.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 13.2.0

This issue was fixed in the openstack/tripleo-heat-templates 13.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.