Enabling SSL/TLS on Overcloud

as i was deploying Redhat OpenStack with SSL/TLS for the Overcloud, i faced an issue where the deployment finished successfully and SSL/TLS where applied to all public endpoints. in Horizon Dashboard i was recieving an error whenever i try to list or create any action like show summary, or list volumes, list images, list anything.

while i followed the redhat deployment guide, it seams to be an issue on how certificates are deployed between the undercloud and overcloud. the guide i was following is https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/advanced_overcloud_customization/#sect-Enabling_SSLTLS_on_the_Overcloud

as usual i started looking around for answers, by checking the horizon logs i found the following:

SSLError: SSL exception connecting to https://172.17.17.10:13000/v3/users/5d6f5a574f2d46b6a1f0c6e3b9b6faf3/projects: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

also i found a bug in the documentation logged in that URL: https://bugzilla.redhat.com/show_bug.cgi?id=1393469

to make it simple here are the steps i followed to make it work perfectly, with a slight change than the documentation and much easier.
Generate self signed CA:

openssl genrsa -out overcloud-ca-privkey.pem 4096
openssl req -new -x509 -key overcloud-ca-privkey.pem -out overcloud-cacert.pem -days 7300 -subj '/C=US/ST=CA/L=LA/O=Cloudy/OU=cloud/CN=messeiry.com'

 

Update undercloud trusted store with the CA certificate:

sudo cp overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

Generate certificate signed by the CA created in the previous step:

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem -subj '/C=US/ST=CA/L=LA/O=Cloudy/OU=cloud/CN=172.17.17.10'
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA overcloud-cacert.pem -CAkey overcloud-ca-privkey.pem -set_serial 01 -out server-cert.pem

Verify the certificate agains the undercloud trusted store:

openssl verify -verbose -CAfile /etc/ssl/certs/ca-bundle.crt server-cert.pem

it should return => server-cert.pem: OK

Add the servert certificate and key to enable-tls.yaml and the CA certificate to inject-trust-anchor.yaml.

overcloud-cacert.pem => environments/inject-trust-anchor.yaml
server-cert.pem => environments/enable-tls.yaml
server-key.pem => environments/enable-tls.yaml

To make sure that the public VIP matches the one passed during certificate creation add this in an environment file(in my case I used network-environment.yaml):

parameter_defaults:
PublicVirtualFixedIPs: [{'ip_address':'172.17.17.10'}]

and here is the final deployment script

#!/bin/bash
openstack overcloud deploy \
 --templates /usr/share/openstack-tripleo-heat-templates/ \
 -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation-messeiry.yaml \
 `for n in ~/templates/*environment*.yaml; do echo -n "-e $n "; done` \
 -e /home/stack/templates/enable-tls.yaml \
 -e /home/stack/templates/inject-trust-anchor.yaml \
 -e /usr/share/openstack-tripleo-heat-templates/environments/tls-endpoints-public-ip.yaml \
 --stack overcloudssl \
 --ntp-server 192.0.2.200 \
 --control-flavor control \
 --compute-flavor compute \
 --ceph-storage-flavor ceph-storage \
 --control-scale 3 \
 --compute-scale 3 \
 --ceph-storage-scale 3 \
 --neutron-tunnel-types vxlan \
 --neutron-network-type vxlan | tee openstack-deployment-ssl.log

for more information read the Redhat Documentation, but this should fix the issue.

 

 

Leave a Reply