Charmed Openstack: Heat to Keystone SSL validation issue

Hi, we have successfully deployed Openstack-base charm and have now added the Heat charm.

Heat deploys without issue and then allows us to create the relations to keystone, mysql, and rabbitmq. When we are ready to run "juju run-action heat/0 domain-setup, it seems to complete, but when we add --wait and --debug, it lists an SSL error related to keystone, please see the attached pastbin:

We ran into this issue with Heat stable:485, and so have tried Heat edge:504.

Hi Matthew,

Can you pastebin the output to:

juju status heat --relations

I could use the rest of the output but from what I can see you did not set up Heat with the cloud database correctly. Use another service as a model. Basically you need:

  - - "heat:shared-db"
    - "heat-mysql-router:shared-db"
  - - "heat-mysql-router:db-router"
    - "mysql-innodb-cluster:db-router"

Heat was not part of the openstack-base charm, we added it by running “juju deploy heat”.

So are you good to go then with the relations I provided?

See the charm repo test bundle for more details.

Well, we are closer, but still getting the SSL errors:

If you’re using the openstack-base bundle, it’s using vault to provide certificates to various services. You should make sure that you are relating heat to vault so that it can get an update the ca. Looking at the relations that you’ve provided and that Peter referenced, it doesn’t include any relations to vault.

Thanks for jumping in, @billy-olsen;

I related heat to vault and then ran “sudo update-ca-certificates” on all heat containers before attempting the domain-setup again, unfortunately, with the same output as before.

Thanks, @billy-olsen and @pmatulis!

I finally resolved the issue by performing the following:

  1. Get the ca certificate data from “juju run-action --wait vault/leader generate-root-ca”.
  2. Copy the certificate data and then ssh into each of your Heat units (one by one) (e.g. juju ssh 0/lxd1).
  3. Browse to /etc/ssl/certs/.
  4. Modify ca-certificates.crt (sudo nano ca-certificates.crt) and add (paste) the certificate to the end of the file.
  5. Run “juju run-action heat/0 domain-setup --wait --debug” at least twice.

You should now be able to log into the openstack cli and run “openstack orchestration service list” to get a list of heat engines.