Deploy error enabling TLS everywhere when IPA-realm differs of IPA-domain
Environment
- Red Hat Openstack Platform 16.2.3
Issue
Error deploying overcloud for enabling or changing TLS everywhere when the IPA-realm is not the same as IPA-domain.
Resolution
Set the parameter CertmongerKerberosRealm with the IPA-Realm address in tls-parameters.yaml.
parameter_defaults:
DnsSearchDomains: ["example.com"]
CloudDomain: example.com
...
CertmongerKerberosRealm: iparealm.com
Root Cause
Openstack assumes by default that Realm and Domain will be the same, that when create the principle it will use the CloudDomain as the certmonger_krb_realm which would be wrong for some environments.
Diagnostic Steps
- The overcloud deploy command stops because of FATAL errors on controller and compute on step "Wait for puppet host configuration to finish". The error is:
"<13>Mar 14 05:01:44 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/Certmonger_certificate[qemu-nbd-client-cert]: Could not evaluate: Execution of '/usr/bin/getcert resubmit -i qemu-nbd-client-cert -f /etc/pki/libvirt-nbd/client-cert.pem -c IPA -N CN=compute-0.internalapi.example.com -K qemu/compute-0.internalapi.example.com@EXAMPLE.COM -D compute-0.internalapi.example.com -g 2048 -w' returned 3: Resubmitting \"qemu-nbd-client-cert\" to \"IPA\".", "
- Run the command below to list the certificates in the compute to check status and it servers.
[root@compute ~]# getcert list
- Run the command below to compare the IPA_DOMAIN and the IPA_REALM servers configured in director and in certmonger.
[stack@undercloud ~]$ echo $IPA_DOMAIN
[stack@undercloud ~]$ echo $IPA_REALM
[stack@undercloud ~]$ realm list
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments