asked 2019-01-24 06:25:49 -0600

esxzawq gravatar image

updated 2019-01-27 10:11:11 -0600

hello, I have a problem in octavia configuration

I repeatedly face with BAD_SIGNATURE error on creating loadbalancer :

[root@controller certs]# openstack loadbalancer create --project admin  --vip-subnet-id lb-mgmt-net --name test1
[root@controller certs]# openstack loadbalancer create --project admin  --vip-subnet-id selfservice --name test1

this is the log :

tail -f /var/log/octavia/worker.log 

WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.:
SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)

ERROR octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection retries (currently set to 1500) exhausted.  The amphora is unavailable. Reason: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579)

ERROR octavia.controller.worker.tasks.amphora_driver_tasks [-] Amphora compute instance failed to become reachable. This either means the compute driver failed to fully boot the instance inside the timeout interval or the instance is not reachable via the lb-mgmt-net.: TimeOutException: contacting the amphora timed out

these are logs of amphora agent :

root@amphora-a493b3df-6005-4b4b-aebd-5e1f03640163:/# tail -f /var/log/amphora-agent.log 
[2019-01-25 15:05:52 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Error processing SSL request.
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Invalid request from ip=::ffff: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1977)
[2019-01-25 15:05:53 +0000] [1009] [DEBUG] Failed to send error message.
[2019-01-25 15:05:54 +0000] [1009] [DEBUG] Error processing SSL request. is the ip of the controller's interface named brq8fa784c8-34

these are all of my configuration :

[root@controller /]# cd /etc/octavia/xx/
[root@controller xx]# ls
client_ca  openssl.cnf  server_ca
[root@controller xx]# 

xx is the folder where I create the certificates base on this URL: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

cd /etc/octavia/certs/
[root@controller certs]# ls
client.cert-and-key.pem  client_ca.cert.pem  server_ca.cert.pem  server_ca.key.pem

[root@controller octavia]# cd /var/lib/octavia/
[root@controller octavia]# ls
[root@controller octavia]# cd certs/
[root@controller certs]# ls
[root@controller certs]# 

[root@controller /]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@controller /]# 

[root@controller /]# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core) 
[root@controller /]#

octavia.conf :

transport_url = rabbit://openstack:RABBIT1@controller

bind_host =
bind_port = 9876
api_handler = queue_producer

connection = mysql+pymysql://octavia:OCTAVIA1@controller/octavia

bind_port = 5555
bind_ip =
controller_ip_port_list =
heartbeat_key = insecure

www_authenticate_uri  = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = octavia1

cert_generator = local_cert_generator
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = testoctavia
storage_path = /var/lib/octavia/certs


allow_vip_network_id = True
allow_vip_subnet_id = True
allow_vip_port_id = True

client_cert = /etc/octavia/certs/client.cert-and-key.pem
server_ca = /etc/octavia/certs/server_ca.cert.pem
connection_max_retries = 1500
connection_retry_interval = 1
rest_request_conn_timeout = 10
rest_request_read_timeout = 120

client_ca = /etc/octavia/certs/client_ca.cert.pem
amp_image_owner_id = 925760728e9f4df7b40edbe20d03baa6
amp_secgroup_list = a76168fe-6d4e-43e3-bf49-b30984cf9fd4
amp_flavor_id = 1
 # ( lb-mgmt-net )
amp_boot_network_list = 8fa784c8-3475-47a3-88e0-ea61e1a5890f     
amp_ssh_key_name = mykey
amp_image_tag = amphora
network_driver ...
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2019-01-27 11:36:38 -0600

jckreddy gravatar image

Hi esxzawq

Is your problem sovled ?

edit flag offensive delete link more


Hi jckreddy no, not yet, waiting for an answer

esxzawq gravatar imageesxzawq ( 2019-01-27 13:06:25 -0600 )edit

answered 2019-02-11 11:10:12 -0600

johnsom gravatar image

This implies that either your client_ca.cert.pem file is bad or the client.cert-and-key.pem file is bad.

Please double check those files against the instructions here: https://docs.openstack.org/octavia/la...

edit flag offensive delete link more


in these are logs of amphora agent: section of the question,

could it be because of the networking

esxzawq gravatar imageesxzawq ( 2019-02-14 23:53:03 -0600 )edit

No, this error is clear (as openssl is with errors) that the client_ca.cert.pem file is bad or the client.cert-and-key.pem file is bad.

johnsom gravatar imagejohnsom ( 2019-04-03 19:47:02 -0600 )edit

answered 2019-03-13 21:40:20 -0600

wby1089 gravatar image

You should not use lb-mgmt-net as vip-subnet-id.

=as-is= openstack loadbalancer create --project admin --vip-subnet-id lb-mgmt-net --name test1

=to-be= openstack loadbalancer create --project admin --vip-subnet-id selfservice --name test1

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2019-01-24 06:25:49 -0600

Seen: 949 times

Last updated: Mar 13 '19