Mission Specialist
Mission Specialist

How Director can get tls cert from IDM Server Instead of using locally generated cert

Jump to solution

hi Experts;

I am trying to install RHOSP16.1 with the aim that director node should get tls certficate from IDM server instead of using locally generated certificate. 

But deployment step-3 got failed with following exception:-

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem     

From the exception it's clear that deployment process is trying to find locally generated certficate which is not generated because my undercloud.conf is pointing to IPA sever and undercloud node is also registered with IPA server. Undercloud.conf file is pasted below, am I missing some parameter here ?? 

[stack@rhosp16 ~]$ cat undercloud.conf


local_ip =

undercloud_public_host = rhosp16.knawaz.lab.jnpr

local_interface = eth0

undercloud_hostname = rhosp16.knawaz.lab.jnpr

undercloud_admin_host =



undercloud_nameservers =

container_images_file = /home/stack/containers-prepare-parameter.yaml

ipa_otp= '1Qta6sHLsXoyKa0UTSkpRYaN2MBNbPO0PNz4SJNTYWsN'

certificate_generation_ca = IPA

generate_service_certificat = true

service_principal = haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR


[stack@rhosp16 ~]$  sudo getcert list

Number of certificates and requests being tracked: 1.

Request ID 'haproxy-external-cert':

        status: MONITORING

        stuck: no

        key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'

        certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'

        CA: IPA

        issuer: CN=Certificate Authority,O=KNAWAZ.LAB.JNPR

        subject: CN=rhosp16.knawaz.lab.jnpr,O=KNAWAZ.LAB.JNPR

        expires: 2023-05-02 11:56:40 EDT

        dns: rhosp16.knawaz.lab.jnpr

        principal name: haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR

        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command:

        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external

        track: yes

        auto-renew: yes


Labels (1)
1 Solution

Accepted Solutions
Starfighter Starfighter

Have you defined the relevant service in IDM?

IIRC, you need an "haproxy/..." service defined in IdM, obviously in the OSPd host.

View solution in original post

1 Reply
Starfighter Starfighter

Have you defined the relevant service in IDM?

IIRC, you need an "haproxy/..." service defined in IdM, obviously in the OSPd host.

Join the discussion
You must log in to join this conversation.