commit 58e6913751c88595d997c99cb6d218f07939c7c6
Author: Martin Schuppert <email address hidden>
Date: Tue Jun 1 12:14:13 2021 +0200
[victoria/ussuri/train] Change nbd, vnc and qemu default cacert file
InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile
do not point to the default IPA ca.crt file and instead are requested
to be loaded to component specific CA files (even if they are the same).
This can lead to a race where the CA cert is not being written by
certmonger in time and the following issue is seen after the 60s timeout:
May 1 16:47:39 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Certmonger_certificate[libvirt-vnc-server-cert]/ensure: created
May 1 16:48:40 puppet-user: Error: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]
May 1 16:48:40 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Exec[/etc/pki/CA/certs/vnc.crt]/returns: change from 'notrun' to ['0'] failed: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]
The problem here is that certmonger doesn't behave in the way that we
expect it to do. When we make the cert request and ask for the ca cert to
be retrieved, it issues the cert and schedules the cert to be returned
asynchronously, even if you specify -w to wait for the cert. -w will block
pending the cert being retrieved, but not for the CA cert.
You can always force the retrieval to happen by restarting certmonger, and
this has helped in some cases in the past, but is a less than ideal
solution.
This is a bug in certmonger IMHO, in that we should expect the CA cert to
be returned synchronously along with the cert if we specify -w.
The BZ for certmonger is unlikely to be fixed anytime soon though, so we
need to look at other options.
Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to
use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
the wallaby release using the ansible role. This change backports to also
use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
managing the certs via puppet-tripleo.
Reviewed: https:/ /review. opendev. org/c/openstack /tripleo- heat-templates/ +/796651 /opendev. org/openstack/ tripleo- heat-templates/ commit/ 58e6913751c8859 5d997c99cb6d218 f07939c7c6
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/ussuri
commit 58e6913751c8859 5d997c99cb6d218 f07939c7c6
Author: Martin Schuppert <email address hidden>
Date: Tue Jun 1 12:14:13 2021 +0200
[victoria/ ussuri/ train] Change nbd, vnc and qemu default cacert file
InternalTLS NbdCAFile, InternalTLSVncC AFile and InternalTLSQemu CAFile
do not point to the default IPA ca.crt file and instead are requested
to be loaded to component specific CA files (even if they are the same).
This can lead to a race where the CA cert is not being written by
certmonger in time and the following issue is seen after the 60s timeout:
May 1 16:47:39 puppet-user: Notice: /Stage[ main]/Tripleo: :Profile: :Base:: Certmonger_ user/Tripleo: :Certmonger: :Libvirt_ vnc[libvirt- vnc-server- cert]/Certmonge r_certificate[ libvirt- vnc-server- cert]/ensure: created CA/certs/ vnc.crt' returned 1 instead of one of [0] main]/Tripleo: :Profile: :Base:: Certmonger_ user/Tripleo: :Certmonger: :Libvirt_ vnc[libvirt- vnc-server- cert]/Exec[ /etc/pki/ CA/certs/ vnc.crt] /returns: change from 'notrun' to ['0'] failed: 'test -f /etc/pki/ CA/certs/ vnc.crt' returned 1 instead of one of [0]
May 1 16:48:40 puppet-user: Error: 'test -f /etc/pki/
May 1 16:48:40 puppet-user: Error: /Stage[
The problem here is that certmonger doesn't behave in the way that we
expect it to do. When we make the cert request and ask for the ca cert to
be retrieved, it issues the cert and schedules the cert to be returned
asynchronously, even if you specify -w to wait for the cert. -w will block
pending the cert being retrieved, but not for the CA cert.
You can always force the retrieval to happen by restarting certmonger, and
this has helped in some cases in the past, but is a less than ideal
solution.
This is a bug in certmonger IMHO, in that we should expect the CA cert to
be returned synchronously along with the cert if we specify -w.
The BZ for certmonger is unlikely to be fixed anytime soon though, so we
need to look at other options.
Ib868465c20 d97c62cbcb214bf c62d949bd6efc62 already changed the default to
use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
the wallaby release using the ansible role. This change backports to also
use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
managing the certs via puppet-tripleo.
Conflicts: nova/nova- vnc-proxy- container- puppet. yaml
deployment/
Change-Id: I8a00ab81c16b21 c9b1f703015a2a2 eaa66fd556f ca4da943094b219 bc560286ab)
Closes-Bug: #1927201
(cherry picked from commit d54d63285db71cd