Ask Your Question
0

OCTAVIA SSL ERROR

asked 2019-01-24 06:25:49 -0500

esxzawq gravatar image

updated 2019-01-27 10:11:11 -0500

hello, I have a problem in octavia configuration

I repeatedly face with BAD_SIGNATURE error on creating loadbalancer :

[root@controller certs]# openstack loadbalancer create --project admin  --vip-subnet-id lb-mgmt-net --name test1
or
[root@controller certs]# openstack loadbalancer create --project admin  --vip-subnet-id selfservice --name test1

this is the log :

tail -f /var/log/octavia/worker.log 

WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.:
SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)

ERROR octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection retries (currently set to 1500) exhausted.  The amphora is unavailable. Reason: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)

ERROR octavia.controller.worker.tasks.amphora_driver_tasks [-] Amphora compute instance failed to become reachable. This either means the compute driver failed to fully boot the instance inside the timeout interval or the instance is not reachable via the lb-mgmt-net.: TimeOutException: contacting the amphora timed out

these are logs of amphora agent :

root@amphora-a493b3df-6005-4b4b-aebd-5e1f03640163:/# tail -f /var/log/amphora-agent.log 
[2019-01-25 15:05:52 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Error processing SSL request.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Invalid request from ip=::ffff:192.168.1.12: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1977)
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:54 +0000] [1009] [DEBUG] Error processing SSL request.

192.168.1.12 is the ip of the controller's interface named brq8fa784c8-34

these are all of my configuration :

[root@controller /]# cd /etc/octavia/xx/
[root@controller xx]# ls
client_ca  openssl.cnf  server_ca
[root@controller xx]# 

xx is the folder where I create the certificates base on this URL: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

cd /etc/octavia/certs/
[root@controller certs]# ls
client.cert-and-key.pem  client_ca.cert.pem  server_ca.cert.pem  server_ca.key.pem

[root@controller octavia]# cd /var/lib/octavia/
[root@controller octavia]# ls
certs
[root@controller octavia]# cd certs/
[root@controller certs]# ls
[root@controller certs]# 


[root@controller /]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@controller /]# 

[root@controller /]# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core) 
[root@controller /]#

octavia.conf :

[DEFAULT]
transport_url = rabbit://openstack:RABBIT1@controller

[api_settings]
bind_host = 10.0.0.11
bind_port = 9876
api_handler = queue_producer

[database]
connection = mysql+pymysql://octavia:OCTAVIA1@controller/octavia

[health_manager]
bind_port = 5555
bind_ip = 10.0.0.11
controller_ip_port_list = 10.0.0.11:5555
heartbeat_key = insecure

[keystone_authtoken]
www_authenticate_uri  = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = octavia1

[certificates]
cert_generator = local_cert_generator
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = testoctavia
storage_path = /var/lib/octavia/certs

[anchor]

[networking]
allow_vip_network_id = True
allow_vip_subnet_id = True
allow_vip_port_id = True

[haproxy_amphora]
client_cert = /etc/octavia/certs/client.cert-and-key.pem
server_ca = /etc/octavia/certs/server_ca.cert.pem
connection_max_retries = 1500
connection_retry_interval = 1
rest_request_conn_timeout = 10
rest_request_read_timeout = 120

[controller_worker]
client_ca = /etc/octavia/certs/client_ca.cert.pem
amp_image_owner_id = 925760728e9f4df7b40edbe20d03baa6
amp_secgroup_list = a76168fe-6d4e-43e3-bf49-b30984cf9fd4
amp_flavor_id = 1
 # ( lb-mgmt-net )
amp_boot_network_list = 8fa784c8-3475-47a3-88e0-ea61e1a5890f     
amp_ssh_key_name = mykey
amp_image_tag = amphora
network_driver ...
(more)
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2019-02-11 11:10:12 -0500

johnsom gravatar image

This implies that either your client_ca.cert.pem file is bad or the client.cert-and-key.pem file is bad.

Please double check those files against the instructions here: https://docs.openstack.org/octavia/la...

edit flag offensive delete link more

Comments

in these are logs of amphora agent: section of the question,

could it be because of the networking

esxzawq gravatar imageesxzawq ( 2019-02-14 23:53:03 -0500 )edit

No, this error is clear (as openssl is with errors) that the client_ca.cert.pem file is bad or the client.cert-and-key.pem file is bad.

johnsom gravatar imagejohnsom ( 2019-04-03 19:47:02 -0500 )edit
0

answered 2019-03-13 21:40:20 -0500

wby1089 gravatar image

You should not use lb-mgmt-net as vip-subnet-id.

=as-is= openstack loadbalancer create --project admin --vip-subnet-id lb-mgmt-net --name test1

=to-be= openstack loadbalancer create --project admin --vip-subnet-id selfservice --name test1

edit flag offensive delete link more
0

answered 2019-01-27 11:36:38 -0500

jckreddy gravatar image

Hi esxzawq

Is your problem sovled ?

edit flag offensive delete link more

Comments

Hi jckreddy no, not yet, waiting for an answer

esxzawq gravatar imageesxzawq ( 2019-01-27 13:06:25 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-01-24 06:25:49 -0500

Seen: 171 times

Last updated: Mar 13