cancel
Showing results for 
Search instead for 
Did you mean: 
Kashif-Nawaz
Mission Specialist
Mission Specialist
  • 1,695 Views

How Director can get tls cert from IDM Server Instead of using locally generated cert

Jump to solution

hi Experts;

I am trying to install RHOSP16.1 with the aim that director node should get tls certficate from IDM server instead of using locally generated certificate. 

But deployment step-3 got failed with following exception:-

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem     

From the exception it's clear that deployment process is trying to find locally generated certficate which is not generated because my undercloud.conf is pointing to IPA sever and undercloud node is also registered with IPA server. Undercloud.conf file is pasted below, am I missing some parameter here ?? 

[stack@rhosp16 ~]$ cat undercloud.conf

[DEFAULT]

local_ip = 192.168.24.1/24

undercloud_public_host = rhosp16.knawaz.lab.jnpr

local_interface = eth0

undercloud_hostname = rhosp16.knawaz.lab.jnpr

undercloud_admin_host = 192.168.24.5

enable_novajoin=true

overcloud_domain_name=knawaz.lab.jnpr

undercloud_nameservers = 192.168.24.12

container_images_file = /home/stack/containers-prepare-parameter.yaml

ipa_otp= '1Qta6sHLsXoyKa0UTSkpRYaN2MBNbPO0PNz4SJNTYWsN'

certificate_generation_ca = IPA

generate_service_certificat = true

service_principal = haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR

 

[stack@rhosp16 ~]$  sudo getcert list

Number of certificates and requests being tracked: 1.

Request ID 'haproxy-external-cert':

        status: MONITORING

        stuck: no

        key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'

        certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'

        CA: IPA

        issuer: CN=Certificate Authority,O=KNAWAZ.LAB.JNPR

        subject: CN=rhosp16.knawaz.lab.jnpr,O=KNAWAZ.LAB.JNPR

        expires: 2023-05-02 11:56:40 EDT

        dns: rhosp16.knawaz.lab.jnpr

        principal name: haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR

        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command:

        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external

        track: yes

        auto-renew: yes

                                                                   

Labels (1)
1 Solution

Accepted Solutions
PeterTselios
Starfighter Starfighter
Starfighter
  • 1,598 Views

Have you defined the relevant service in IDM?

IIRC, you need an "haproxy/..." service defined in IdM, obviously in the OSPd host.

View solution in original post

1 Reply
PeterTselios
Starfighter Starfighter
Starfighter
  • 1,599 Views

Have you defined the relevant service in IDM?

IIRC, you need an "haproxy/..." service defined in IdM, obviously in the OSPd host.

Join the discussion
You must log in to join this conversation.