Tripleo under/over cloud TLS via novajoin

asked 2020-04-06 09:02:46 -0500

kendrick gravatar image

I am attempting to follow https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/tls_everywhere.html (https://docs.openstack.org/project-de...) and get errors while running the openstack undercloud install.

2020-04-06 00:16:03.800 6639 WARNING tripleoclient.v1.tripleo_deploy.Deploy [  ] fatal: [ucloud]: FAILED! => {"changed": true, "cmd": "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s $(grep xmlrpc_uri /etc/ipa/default.conf  | cut -d/ -f3) -p nova/cloud.example.com -k /etc/novajoin/krb5.keytab", "delta": "0:00:00.743919", "end": "2020-04-06 00:16:03.748135", "msg": "non-zero return code", "rc": 9, "start": "2020-04-06 00:16:03.004216", "stderr": "Failed to parse result: PrincipalName not found.\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: PrincipalName not found.\n\nFailed to get keytab!\nFailed to get keytab", "stderr_lines": ["Failed to parse result: PrincipalName not found.", "", "Retrying with pre-4.0 keytab retrieval method...", "Failed to parse result: PrincipalName not found.", "", "Failed to get keytab!", "Failed to get keytab"], "stdout": "", "stdout_lines": []}

i have had several different types of errors.

  1. /etc/krb5.keytab is never generated.
  2. the novajoin script did not add the principal alias in freeipa so trying to run ipa-getkeytab -s $(grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3) -p nova/cloud.example.com -k /etc/novajoin/krb5.keytab" was failing.

any suggestions on how to get this sorted out would be appriciated. 3.

edit retag flag offensive close merge delete