I have deployed openstack/base on MaaS as indicated here. After I tried to deploy charmed-kubernetes with an openstack-integrator and vault overlay, I cannot perform openstackclient commands on the maas node and the images uploaded to the dashboard are not recognized, that means, the ubuntu charms cannot be deployed. When I do, for example,
openstack catalog list
I get
Failed to discover available identity versions when contacting https://keystone_ip:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://keystone_ip:5000/v3/auth/tokens: HTTPSConnectionPool(host=âkeystone_ipâ, port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLCertVerificationError(1, â[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)â)))
However, when I ssh into the keystone container, there is a keystone_juju_ca_cert.crt which has as
I have also tried to reissue the certificates and refresh the secrets through actions in the vault application, but to no avail.
Can somobody help me here ? By this point, this is already the second bigger problem I have with certificate management using vault. Is there a more comprehensive guide with more detailed information ?
To me, it looks like your client doesnât know about the CA that Vault is using. Have you added Vaultâs CA to the machine where youâre trying to run openstack catalog list?
The CA can be retrieved with juju run-action vault/leader --wait get-root-ca and should then be added into your environment with something like export OS_CACERT=/path/to/that/CA.crt
Thanks, that was the cause. Maybe this is also the origin of the problem I had with the private docker registry, but I doubt it. I will try that one, too, but now that I am trying to deploy openstack/base on maas, I am having another type of certificate problem that I will post a question to, too.
Hello,
I am facing this integration issue, it used to be ok, but suddently integration failed for new deployment.
unit-openstack-integrator-0: 10:27:41 DEBUG unit.openstack-integrator/0.config-changed SSL exception connecting to https://172.16.17.44:5000/v3/auth/tokens: HTTPSConnectionPool(host=â172.16.17.44â, port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(âunable to load trusted certificates: Error([(âsystem libraryâ, âfopenâ, âPermission deniedâ), (âBIO routinesâ, âBIO_new_fileâ, âsystem libâ), (âx509 certificate routinesâ, âX509_load_cert_crl_fileâ, âsystem libâ)],)â,),))
When i ssh to unit openstack-integrator, ca.crt exists
ubuntu@juju-b1c354-shared-k8s-9:~$ ls -lah /etc/openstack-integrator/
total 12K
drwxr-xr-x 2 root root 4.0K Mar 21 10:20 .
drwxr-xr-x 94 root root 4.0K Mar 21 10:20 âŠ
-rw-râr-- 1 root root 1.3K Mar 21 10:48 ca.crt