OCTAVIA SSL ERROR
hello, I have a problem in octavia configuration
I repeatedly face with BAD_SIGNATURE error on creating loadbalancer :
[root@controller certs]# openstack loadbalancer create --project admin --vip-subnet-id lb-mgmt-net --name test1
or
[root@controller certs]# openstack loadbalancer create --project admin --vip-subnet-id selfservice --name test1
this is the log :
tail -f /var/log/octavia/worker.log
WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.:
SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)
ERROR octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection retries (currently set to 1500) exhausted. The amphora is unavailable. Reason: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)
ERROR octavia.controller.worker.tasks.amphora_driver_tasks [-] Amphora compute instance failed to become reachable. This either means the compute driver failed to fully boot the instance inside the timeout interval or the instance is not reachable via the lb-mgmt-net.: TimeOutException: contacting the amphora timed out
these are logs of amphora agent :
root@amphora-a493b3df-6005-4b4b-aebd-5e1f03640163:/# tail -f /var/log/amphora-agent.log
[2019-01-25 15:05:52 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Error processing SSL request.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Invalid request from ip=::ffff:192.168.1.12: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1977)
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:54 +0000] [1009] [DEBUG] Error processing SSL request.
192.168.1.12 is the ip of the controller's interface named brq8fa784c8-34
these are all of my configuration :
[root@controller /]# cd /etc/octavia/xx/
[root@controller xx]# ls
client_ca openssl.cnf server_ca
[root@controller xx]#
xx is the folder where I create the certificates base on this URL: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
cd /etc/octavia/certs/
[root@controller certs]# ls
client.cert-and-key.pem client_ca.cert.pem server_ca.cert.pem server_ca.key.pem
[root@controller octavia]# cd /var/lib/octavia/
[root@controller octavia]# ls
certs
[root@controller octavia]# cd certs/
[root@controller certs]# ls
[root@controller certs]#
[root@controller /]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@controller /]#
[root@controller /]# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
[root@controller /]#
octavia.conf :
[DEFAULT]
transport_url = rabbit://openstack:RABBIT1@controller
[api_settings]
bind_host = 10.0.0.11
bind_port = 9876
api_handler = queue_producer
[database]
connection = mysql+pymysql://octavia:OCTAVIA1@controller/octavia
[health_manager]
bind_port = 5555
bind_ip = 10.0.0.11
controller_ip_port_list = 10.0.0.11:5555
heartbeat_key = insecure
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = octavia1
[certificates]
cert_generator = local_cert_generator
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = testoctavia
storage_path = /var/lib/octavia/certs
[anchor]
[networking]
allow_vip_network_id = True
allow_vip_subnet_id = True
allow_vip_port_id = True
[haproxy_amphora]
client_cert = /etc/octavia/certs/client.cert-and-key.pem
server_ca = /etc/octavia/certs/server_ca.cert.pem
connection_max_retries = 1500
connection_retry_interval = 1
rest_request_conn_timeout = 10
rest_request_read_timeout = 120
[controller_worker]
client_ca = /etc/octavia/certs/client_ca.cert.pem
amp_image_owner_id = 925760728e9f4df7b40edbe20d03baa6
amp_secgroup_list = a76168fe-6d4e-43e3-bf49-b30984cf9fd4
amp_flavor_id = 1
# ( lb-mgmt-net )
amp_boot_network_list = 8fa784c8-3475-47a3-88e0-ea61e1a5890f
amp_ssh_key_name = mykey
amp_image_tag = amphora
network_driver ...add a comment
