Octavia loadbalancer listener creation fails when PKCS12 bundle is encrypted with key in Red Hat OpenStack Platform 13
Issue
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Octavia loadbalancer listener creation fails when PKCS12 bundle is encrypted with key in Red Hat OpenStack Platform 13
When following https://docs.openstack.org/octavia/queens/user/guides/basic-cookbook.html and when using a PKCS12 bundle that is protected with a passphrase, octavia CLI throws the following error upon creation of a loadbalancer listener:
(overcloud) [stack@undercloud ~]$ openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1
Could not retrieve certificate: ['https://<certifiacte URL>'] (HTTP 400) (Request-ID: req-<request UUID>)
Error message in /var/log/containers/octavia/api.log
on the controller nodes:
2019-09-11 16:04:50.856 1 ERROR barbicanclient.client [req-(...)] 4xx Client error: Not Found: Not Found. Sorry but your container is in another castle.: Error: [('PKCS12 routines', 'PKCS12_parse', 'mac verify failure')]
A manual validation of the certificate bundle before importing it yields the same error when hitting RETURN
without providing a password at the Enter Import Password:
prompt:
(overcloud) [stack@undercloud ~]$ openssl pkcs12 -info -in cert.p12
Enter Import Password:
MAC Iteration 1
Mac verify error: invalid password?
Environment
Red Hat OpenStack Platform 13
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.