tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset001 failing in verify ssl certificate

Bug #1961056 reported by Arx Cruz
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Unassigned

Bug Description

https://logserver.rdoproject.org/09/829509/1/openstack-check/tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset001/bdc28e7/logs/undercloud/home/zuul/overcloud_deploy.log.txt.gz

The ssl certificate are not being verified and so it fails:

2022-02-16 05:47:03 | 2022-02-16 05:47:03.890981 | fa163e09-c78a-2220-12eb-000000001d29 | TASK | Verify SSL certificate
2022-02-16 05:47:04 | 2022-02-16 05:47:04.411141 | fa163e09-c78a-2220-12eb-000000001d29 | FATAL | Verify SSL certificate | overcloud-controller-0 | error={"changed": true, "cmd": "cat << EOF | openssl verify\n-----BEGIN CERTIFICATE-----\nMIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEL\nMAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIYXQx\nDTALBgNVBAsMBE9PT1ExEjAQBgNVBAMMCW92ZXJjbG91ZDAeFw0yMjAyMTYxMDI1\nMTRaFw0yMzAyMTYxMDI1MTRaMGAxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQ\nMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHUmVkIEhhdDENMAsGA1UECwwET09P\nUTERMA8GA1UEAwwIMTAuMC4wLjUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQDqhzuh/ImX49ZNNqXb5pqMZf6DBt/B74B2Bw6VLelxIA3hphj5kbvTDjSs\nrnH301Tr1zCQYikW8P1yf8dWj7gAop4Yh5QxqhTYEY/dFja06/sVUIpijLPwIdvC\n5HXXUVw2TxSXmC5UT7+sOBEqAUiLzksd3wEkVr034Bt5PMFEKEpxHLbmjVLKLUhH\n1SCrzV0DZ/qJGx/iGwzzhvzjhAnSrtPyVQeFWYOXTeOyoYVczF9kdv/+tJGcZewi\ne1a69MyQTPnw3bO/PtTlLDjdXmXrqDcmIC1liIEPo0zA+mSt5uk0o5soF3e5VQcB\nVfA/3LfzleCal7UGJ+xNrat/BhP3AgMBAAGjUzBRMA8GA1UdEQQIMAaHBAoAAAUw\nHQYDVR0OBBYEFIUeiIluYMV3HWj6QtCh4KhPOi5eMB8GA1UdIwQYMBaAFLBvAP+K\nZGR5ddD8kxuwySSIPO4MMA0GCSqGSIb3DQEBCwUAA4IBAQAExzz8MHPu9bljQJ43\nRmj9nc7TQpPaR5QCE6W5Ofz6S0+VsLiNhwNSH1BLn4mNhNALgsoG1S5G05wJzTEM\ny+dq4atX/Pkj1PZKhjjd2MANqobr2a5oqleNnpHfYiJuEKUUhxGz67w/kN/nYjNF\nZ2YP1+lTEIbcgUjcCjx8s0DMHRQH/XxAXu8NPfLCZCGULt4BYitCtzVNkI7g/usa\ntlQ4y47u4uuHxbucfFQiNhVymK+wBSPArteoiDlZFw4b1XxP8/rJ2ZWoylTzqYvL\nkafJD030i15KNUvZV1GdRmKYA4eRNIQQwL8tPVZWluFU575VK1ogQVNi0csn9iQP\nrzsW\n-----END CERTIFICATE-----\n\nEOF\n", "delta": "0:00:00.148396", "end": "2022-02-16 05:47:04.374066", "failed_when_result": true, "msg": "non-zero return code", "rc": 2, "start": "2022-02-16 05:47:04.225670", "stderr": "C = US, ST = NC, L = Raleigh, O = Red Hat, OU = OOOQ, CN = 10.0.0.5\nerror 20 at 0 depth lookup: unable to get local issuer certificate\nerror stdin: verification failed", "stderr_lines": ["C = US, ST = NC, L = Raleigh, O = Red Hat, OU = OOOQ, CN = 10.0.0.5", "error 20 at 0 depth lookup: unable to get local issuer certificate", "error stdin: verification failed"], "stdout": "", "stdout_lines": []}

Revision history for this message
Ronelle Landy (rlandy) wrote :
tags: added: promotion-blocker
Revision history for this message
Ronelle Landy (rlandy) wrote :
Changed in tripleo:
milestone: none → yoga-2
Revision history for this message
Alan Pevec (apevec) wrote :

NB OVB 3rd party CI was ignored:
* tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset001 https://review.rdoproject.org/zuul/build/9c6803aa0c784f8f9f640ac21ce3b4cc : FAILURE in 1h 48m 28s
* tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset039 https://review.rdoproject.org/zuul/build/18dbd4972fd14755ad83fe26d964e55c : FAILURE in 2h 14m 42s

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/827378

Revision history for this message
David Hill (david-hill-ubisoft) wrote :

I tested in Train with NodeTLSCerts which appears to now be deprecated and removed. This previous CA injection happened in PreNetworkConfig which was before host_prep_steps and step1 . I moved this to step1 in master just to confirm if it works through this patch https://review.opendev.org/c/openstack/tripleo-heat-templates/+/829610 ...

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/829610
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/64a19091ab55202e6c37fa083035add2b42e9d5d
Submitter: "Zuul (22348)"
Branch: master

commit 64a19091ab55202e6c37fa083035add2b42e9d5d
Author: David Hill <email address hidden>
Date: Wed Feb 16 16:32:08 2022 -0500

    Run the SSL verification at step2

    Run the SSL verification at step2 instead of host_prep as we need
    to have CACerts injected before being able to validate the SSL
    certificates. It looks like NodeTLSCerts is getting deprecated
    and CI has already moved away from taht method .

    Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
    Closes-bug: #1961056

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 16.0.0

This issue was fixed in the openstack/tripleo-heat-templates 16.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.