-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
-
False
-
?
-
openstack-tripleo-heat-templates-14.3.1-17.1.20251104171908.e7c7ce3.el9osttrunk
-
rhos-connectivity-neutron
-
None
-
-
-
-
Important
When certmonger is renewing the ovs ssl certificates, it's not restarting the ovn_controller which breaks communication with ovsdbs:
2025-10-21 14:07:46.405 42 INFO ovsdbapp.backend.ovs_idl.vlog [-] ssl:10.10.10.10:6642: connected 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection [-] [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate expired')]: OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate expired')] 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection Traceback (most recent call last): 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib/python3.6/site-packages/ovsdbapp/backend/ovs_idl/connection.py", line 106, in run 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection self.idl.run() 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib64/python3.6/site-packages/ovs/db/idl.py", line 263, in run 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection msg = self._session.recv() 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib64/python3.6/site-packages/ovs/jsonrpc.py", line 572, in recv 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection error, msg = self.rpc.recv() 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib64/python3.6/site-packages/ovs/jsonrpc.py", line 267, in recv 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection error, data = self.stream.recv(4096) 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib64/python3.6/site-packages/ovs/stream.py", line 821, in recv 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection return super(SSLStream, self).recv(n) 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib64/python3.6/site-packages/ovs/stream.py", line 335, in recv 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection return (0, self.socket.recv(n)) 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1791, in recv 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection self._raise_ssl_error(self._ssl, result) 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection _raise_current_error() 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection File "/usr/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection raise exception_type(errors) 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate expired')] 2025-10-21 14:07:46.406 42 ERROR ovsdbapp.backend.ovs_idl.connection 2025-10-21 14:07:46.407 42 INFO ovsdbapp.backend.ovs_idl.vlog [-] ssl:10.10.10.10:6642: connection closed by peer
This affects both 17.1 and 16.2 ... It's the same as 2215996 – It looks like ovn-controllers are not restarted when certificates are renewd which had Restart ovn_controller and ovn_metadata on cert renew (885533) · Gerrit Code Review and Restarts the OVN controller after the certificates are renewd. (896127) · Gerrit Code Review to address it, all were closed without fixes.
- is related to
-
OSPRH-21337 Identify if we need to restart ovn dbs when certmonger is renewing the ovs ssl certificates
-
- Backlog
-
- mentioned on
