-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
-
2
-
False
-
-
False
-
Committed
-
?
-
?
-
?
-
None
-
Release Note Not Required
-
-
-
2
-
Important
as seen in the nova-operator-tempest-multinode-ceph here https://github.com/openstack-k8s-operators/nova-operator/pull/756#issuecomment-2126587619 , nova compute fails to connect to rabbitmq with
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129) (retrying in 31.0 seconds): ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)
so the issue is in here https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nova/tasks/install.yml#L3-L15
- this is the log from a successful ca cert check where the name is just nova-custom:
TASK [osp.edpm.edpm_nova : Check if ca bundle exists] ************************** [1;30mtask path: /usr/share/ansible/collections/ansible_collections/osp/edpm/roles/edpm_nova/tasks/install.yml:3[0m [0;32mok: [compute-2] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-1] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-0] => {"changed": false, "stat": {"exists": false}}[0m TASK [osp.edpm.edpm_nova : Check if nova-custom ca bundle exists] ************** [1;30mtask path: /usr/share/ansible/collections/ansible_collections/osp/edpm/roles/edpm_nova/tasks/install.yml:12[0m [0;32mok: [compute-0] => {"changed": false, "stat": {"atime": 1716448046.6585736, "attr_flags": "", "attributes": [], "block_size": 4096, "blocks": 440, "charset": "utf-8", "checksum": "7cdcca93d9909df82c7162fb1b8905b99b85b833", "ctime": 1716448046.6645737, "dev": 64513, "device_type": 0, "executable": false, "exists": true, "gid": 0, "gr_name": "root", "inode": 117440649, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mimetype": "text/plain", "mode": "0644", "mtime": 1716448046.176562, "nlink": 1, "path": "/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pem", "pw_name": "root", "readable": true, "rgrp": true, "roth": true, "rusr": true, "size": 222859, "uid": 0, "version": "1263559275", "wgrp": false, "woth": false, "writeable": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}[0m [0;32mok: [compute-2] => {"changed": false, "stat": {"atime": 1716448044.4068325, "attr_flags": "", "attributes": [], "block_size": 4096, "blocks": 440, "charset": "utf-8", "checksum": "7cdcca93d9909df82c7162fb1b8905b99b85b833", "ctime": 1716448044.4128327, "dev": 64513, "device_type": 0, "executable": false, "exists": true, "gid": 0, "gr_name": "root", "inode": 37769617, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mimetype": "text/plain", "mode": "0644", "mtime": 1716448043.9078195, "nlink": 1, "path": "/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pem", "pw_name": "root", "readable": true, "rgrp": true, "roth": true, "rusr": true, "size": 222859, "uid": 0, "version": "2932739606", "wgrp": false, "woth": false, "writeable": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}[0m [0;32mok: [compute-1] => {"changed": false, "stat": {"atime": 1716448045.5315318, "attr_flags": "", "attributes": [], "block_size": 4096, "blocks": 440, "charset": "utf-8", "checksum": "7cdcca93d9909df82c7162fb1b8905b99b85b833", "ctime": 1716448045.538532, "dev": 64513, "device_type": 0, "executable": false, "exists": true, "gid": 0, "gr_name": "root", "inode": 37749969, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mimetype": "text/plain", "mode": "0644", "mtime": 1716448045.0235195, "nlink": 1, "path": "/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pem", "pw_name": "root", "readable": true, "rgrp": true, "roth": true, "rusr": true, "size": 222859, "uid": 0, "version": "2701473981", "wgrp": false, "woth": false, "writeable": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}[0m
this is successful because of the hard coded path maches in
/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pemat https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nova/tasks/install.yml#L14for the failing one we have `nova-custom-ceph` as the name we have
TASK [osp.edpm.edpm_nova : Check if ca bundle exists] ************************** [1;30mtask path: /usr/share/ansible/collections/ansible_collections/osp/edpm/roles/edpm_nova/tasks/install.yml:3[0m [0;32mok: [compute-1] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-0] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-2] => {"changed": false, "stat": {"exists": false}}[0m TASK [osp.edpm.edpm_nova : Check if nova-custom ca bundle exists] ************** [1;30mtask path: /usr/share/ansible/collections/ansible_collections/osp/edpm/roles/edpm_nova/tasks/install.yml:12[0m [0;32mok: [compute-1] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-2] => {"changed": false, "stat": {"exists": false}}[0m [0;32mok: [compute-0] => {"changed": false, "stat": {"exists": false}}[0m
where the paths then do not match `/var/lib/openstack/cacerts/nova-custom-ceph/tls-ca-bundle.pem` {}the first task,` Check if ca bundle exists` https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nova/tasks/install.yml#L3 , uses `edpm_nova_tls_ca_src_dir` https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nova/defaults/main.yml#L46C58-L46C80 , which uses `edpm_nova_service_name` and defaults to nova. I am not into the details of the edpm deployment. should `edpm_nova_service_name` be set to the custom service when running the role, or should `Check if nova-custom ca bundle exists` use the service name in its path?
