Ovn-central certificates not renewed

sjtanner · 22 October 2022 02:17

running juju run-action --wait vault/leader reissue-certificates does not seem to re-issue the ovn-central certificates, is there a way to force ovn to request a new certificate.

Here are a few more bits for data from ovn-central

juju show-application ovn-central
ovn-central:
  charm: ovn-central
  series: focal
  channel: stable
  principal: true
  exposed: false
  remote: false
  endpoint-bindings:
    "": os-public-api
    certificates: os-public-api
    nrpe-external-master: os-public-api
    ovsdb: os-public-api
    ovsdb-cms: os-public-api
    ovsdb-peer: os-public-api
    ovsdb-server: os-public-api

2022-10-22 03:13:23 INFO unit.ovn-central/2.juju-log server.go:327 Invoking reactive handler: reactive/layer_openstack.py:121:default_request_certificates
2022-10-22 03:13:23 WARNING unit.ovn-central/2.juju-log server.go:327 Skipping request for certificate for ip in int space, no local address found
2022-10-22 03:13:23 WARNING unit.ovn-central/2.juju-log server.go:327 Skipping request for certificate for ip in admin space, no local address found
2022-10-22 03:13:23 WARNING unit.ovn-central/2.juju-log server.go:327 Skipping request for certificate for ip in public space, no local address found

Is the ovn-central charm expecting that a space will be named one of int, admin, or public?

sjtanner · 8 November 2022 22:04

It turns out it is a known issue, which also impacts neutron-api, and although I didn’t see it in the bug report, our experience was it also impacted ovn-chassis. https://bugs.launchpad.net/vault-charm/+bug/1940549

pmatulis · 10 November 2022 16:57

Can you add your observation to the bug?

sjtanner · 10 November 2022 16:59

it looks like corey.bryant already did and I just missed it

nanderson91 · 28 July 2023 16:24

Hi, we’ve run into this bug with ovn-central as well. When trying to implement the workaround listed in Bug #1940549 we were able to implement it successfully for ovn-chassis, however, ovn-central doesn’t appear to update after trying to apply the workaround to it (running the workaround targetting the ovn-central certificate on the non-leader vault units).

Were you able to execute the workaround on ovn-central successfully and/or were there any additional steps you took to fix?

sjtanner · 25 October 2023 19:18

@nanderson91,
Sorry a bit late on the reply here. We ended up shutting down the current vault leader and re-issuing certificates from a different leader, not sure whether this is a recommended practice, but it did the certificates to be issued correctly.

nhienta · 26 October 2023 08:58

Dear sjtanner, We are having with current vault leader, it’s showing error, and is it possible to re-deploy a new leader and issue certificate on its, could you share me your experience ?. It will very helpful on my case, because I am stucking on our system