Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: tripleo-ansible
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
AssignedTeam:
rhos-ops-day1day2-edpm
Regression:
None
Intelligence Requested:
Market:
PX Impact Score:

Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

certmonger fails to properly renew the undercloud self-signed certificate . Manually running the post-save command returns the following error when copying the /etc/pki/tls/private/overcloud_endpoint.pem:

[root@undercloud tmp]# bash -x haproxy-external-cert-6dc0da8.sh
+ cp /etc/pki/tls/certs/haproxy-external-cert.crt /etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt
+ cp /etc/pki/tls/private/haproxy-external-cert.key /etc/pki/tls/private/haproxy/overcloud-haproxy-external.key
+ ca_type=self-sign
+ '[' self-sign = self-sign ']'
+ ca_pem=/etc/pki/ca-trust/source/anchors/cm-local-ca.pem
+ openssl pkcs12 -in /var/lib/certmonger/local/creds -out /etc/pki/ca-trust/source/anchors/cm-local-ca.pem -nokeys -nodes -passin pass:
+ chmod 0644 /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
+ update-ca-trust extract
+ test -e /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
+ openssl x509 -checkend 0 -noout -in /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
Certificate will not expire
+ openssl x509 -in /etc/pki/ca-trust/source/anchors/cm-local-ca.pem -out /tmp/cm-local-ca.pem
+ ca_path=/tmp/cm-local-ca.pem
+ service_crt=/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt
+ service_key=/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key
+ service_pem=/etc/pki/tls/private/overcloud_endpoint.pem
+ cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt /tmp/cm-local-ca.pem /etc/pki/tls/private/haproxy/overcloud-haproxy-external.key
++ podman ps '--format={{.Names}}'
++ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?'
+ container_name=haproxy
+ echo haproxy
+ grep -q '^haproxy-bundle'
+ podman cp /etc/pki/tls/private/overcloud_endpoint.pem haproxy:/var/lib/kolla/config_files/src-tls//etc/pki/tls/private/overcloud_endpoint.pem
Error: 2 errors occurred:
    * copying to container: copier: put: error creating "/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem": copier: put: error removing item to be overwritten "/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem": unlinkat /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem: device or resource busy
    * copying from host: copier: get: "/etc/pki/tls/private/overcloud_endpoint.pem": copying /etc/pki/tls/private/overcloud_endpoint.pem: io: read/write on closed pipe
+ podman exec haproxy cp /var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem /etc/pki/tls/private/overcloud_endpoint.pem
+ podman exec haproxy chown haproxy:haproxy /etc/pki/tls/private/overcloud_endpoint.pem
+ podman kill --signal HUP haproxy

We had a bunch of customer hitting the issue where undercloud command starts failing when one of the certificate expired and this was documented here https://access.redhat.com/solutions/7098494

links to

KCS

Assignee:: Unassigned

Reporter:: Dave Hill

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/05/30 8:29 PM

Updated:: 2025/09/12 7:23 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty