Can't update (to) custom pre-generated SSL certificate in post-install
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Fuel for OpenStack |
Confirmed
|
High
|
Stanislaw Bogatkin | ||
| Mitaka |
Confirmed
|
High
|
Stanislaw Bogatkin | ||
| Newton |
Confirmed
|
High
|
Stanislaw Bogatkin | ||
Bug Description
We triaged the following MOS lifecycle management scenarios for haproxy SSL certs (in post-install stage):
1. Update MOS environment from self-signed certificates to CA signed certificates
2. Update CA signed certicate on its expiry
Both scenarios currently fail with Fuel 9.0
Scenario #1:
* Going to Settings->Security and changing to "I have my own keypair with certificate"
* Deploying changes
* No errors/warnings, deploy completes successfully
* Yet haproxy certificates are still the self-signed ones (nothing was changed in reality)
Scenario #2:
* Going to Settings->Security and uploading new cert in "I have my own keypair with certificate" file upload
* Deploying changes
* No errors/warnings, deploy completes successfully
* Haproxy certificates are the older ones (nothing was changed in reality)
Another (and hackish) method to migrate from self-signed cert to CA signed cert was to:
* Remove TLS/SSL settings in Settings->Security
* Deploying changes
* Going to Settings->Security and changing to "I have my own keypair with certificate"
* Deploying changes again
* Then the result was as expected - ie CA signed cert was deployed for CTRL haproxy
* Yet this procedure reconfigures Openstack endpoints twice - from https->http and from http->https - which means downtime and its probably high risk operation on production cluster
Once CA signed cert was in place going back to self-signed cert - even through 2-step procedure (no TLS + enabling self-signed cert) it was not possible - we ended up again with CA signed cert instead (as it seems cert/key files are not reset properly not on Fuel nor on Controller).
This bug is probably also related to these pre-existing issues:
* https:/
* https:/
fuel --version
9.0.0
yum list installed | grep fuel
fuel.noarch 9.0.0-1.mos6357 @mos9.0-updates
fuel-agent.noarch 9.0.0-1.mos291 @mos9.0-updates
fuel-bootstrap-
fuel-library9.
fuel-migrate.noarch 9.0.0-1.mos8607 @mos9.0-updates
fuel-mirror.noarch 9.0.0-1.mos154 @mos9.0-updates
fuel-misc.noarch 9.0.0-1.mos8607 @mos9.0-updates
fuel-nailgun.noarch 9.0.0-1.mos8861 @mos9.0-updates
fuel-nailgun-
fuel-notify.noarch 9.0.0-1.mos8607 @mos9.0-updates
fuel-octane.noarch 9.0.0-1.mos1349 @mos9.0-updates
fuel-openstack-
fuel-ostf.noarch 9.0.0-1.mos946 @mos9.0-updates
fuel-provisioni
fuel-release.noarch 9.0.0-1.mos6357 @mos9.0-updates
fuel-setup.noarch 9.0.0-1.mos6357 @mos9.0-updates
fuel-ui.noarch 9.0.0-1.mos2814 @mos9.0-updates
fuel-utils.noarch 9.0.0-1.mos8607 @mos9.0-updates
fuelmenu.noarch 9.0.0-1.mos275 @mos9.0-updates
python-
| Changed in fuel: | |
| assignee: | nobody → Stanislaw Bogatkin (sbogatkin) |
| importance: | Undecided → High |
| status: | New → Confirmed |
| milestone: | none → 11.0 |
| Stanislaw Bogatkin (sbogatkin) wrote | #1 |
| Stanislaw Bogatkin (sbogatkin) wrote | #2 |
These cases was covered by https:/
After apply that fix, redeploy with a new certificate went properly. Closed as duplicate.