Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1684334 - Enabling SSL/TLS everywhere won't work properly renewing certificates using containerize environment
Summary: Enabling SSL/TLS everywhere won't work properly renewing certificates using c...
Keywords:
Status: CLOSED DUPLICATE of bug 1595876
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 13.0 (Queens)
Hardware: All
OS: All
high
medium
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-01 01:37 UTC by Alberto Gonzalez
Modified: 2019-03-01 05:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-01 05:43:10 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Alberto Gonzalez 2019-03-01 01:37:09 UTC
Description of problem:

After installation of OSP13 using TLS/SSL everywhere, I can see the "post-save command" for the certificates are not properly configured for containers.

Request ID 'mysql':
	post-save command: "systemctl reload mariadb"
Request ID 'rabbitmq':
	post-save command: "systemctl restart rabbitmq-server"
Request ID 'redis':
	post-save command: 
Request ID 'neutron':
	post-save command: "true"
Request ID 'novnc-proxy':
	post-save command: "systemctl restart openstack-nova-novncproxy"
Request ID 'httpd-ctlplane':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-external':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-internal_api':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-management':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-storage':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-storage_mgmt':
	post-save command: "systemctl reload httpd"
Request ID 'libvirt-vnc-client-cert':
	post-save command: "systemctl reload libvirtd"
Request ID 'haproxy-ctlplane-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-internal_api-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-storage-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-storage_mgmt-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install OSP13 using template /environments/ssl/tls-everywhere-endpoints-dns.yaml
2. Connect to the one of the controllers
3. Run sudo getcert list

Actual results:

Post-save commands will reload systemctl service


Expected results:

Post-save commands will restart docker container (i.e haproxy-bundle-docker-0)


Additional info:

Comment 1 Alberto Gonzalez 2019-03-01 02:12:52 UTC
I see some commits related here:
https://github.com/openstack/puppet-tripleo/commit/bd9846062c22be898d8720d1ee4ffbb65808fc8f

is there any plan to include it in any errata?

Comment 2 Juan Antonio Osorio 2019-03-01 05:43:10 UTC

*** This bug has been marked as a duplicate of bug 1595876 ***


Note You need to log in before you can comment on or make changes to this bug.