Kashif-Nawaz
Cadet
Cadet
  • 47 Views

How Director can get tls cert from IDM Server Instead of using locally generated cert

hi Experts;

I am trying to install RHOSP16.1 with the aim that director node should get tls certficate from IDM server instead of using locally generated certificate. 

But deployment step-3 got failed with following exception:-

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/ca-trust/source/anchors/cm-local-ca.pem     

From the exception it's clear that deployment process is trying to find locally generated certficate which is not generated because my undercloud.conf is pointing to IPA sever and undercloud node is also registered with IPA server. Undercloud.conf file is pasted below, am I missing some parameter here ?? 

[stack@rhosp16 ~]$ cat undercloud.conf

[DEFAULT]

local_ip = 192.168.24.1/24

undercloud_public_host = rhosp16.knawaz.lab.jnpr

local_interface = eth0

undercloud_hostname = rhosp16.knawaz.lab.jnpr

undercloud_admin_host = 192.168.24.5

enable_novajoin=true

overcloud_domain_name=knawaz.lab.jnpr

undercloud_nameservers = 192.168.24.12

container_images_file = /home/stack/containers-prepare-parameter.yaml

ipa_otp= '1Qta6sHLsXoyKa0UTSkpRYaN2MBNbPO0PNz4SJNTYWsN'

certificate_generation_ca = IPA

generate_service_certificat = true

service_principal = haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR

 

[stack@rhosp16 ~]$  sudo getcert list

Number of certificates and requests being tracked: 1.

Request ID 'haproxy-external-cert':

        status: MONITORING

        stuck: no

        key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'

        certificate: type=FILE,location='/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'

        CA: IPA

        issuer: CN=Certificate Authority,O=KNAWAZ.LAB.JNPR

        subject: CN=rhosp16.knawaz.lab.jnpr,O=KNAWAZ.LAB.JNPR

        expires: 2023-05-02 11:56:40 EDT

        dns: rhosp16.knawaz.lab.jnpr

        principal name: haproxy/rhosp16.knawaz.lab.jnpr@KNAWAZ.LAB.JNPR

        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command:

        post-save command: /usr/bin/certmonger-haproxy-refresh.sh reload external

        track: yes

        auto-renew: yes

                                                                   

Labels (1)
0 Kudos
Join the discussion
You must log in to join this conversation.