yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2069149] Re: Designate DNS and SSLError 524297

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Oleg Bondarev <2069149@xxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Jun 2024 13:54:15 -0000
Reply-to: Bug 2069149 <2069149@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Looks like a setup issue to me, not sure how it could be fixed from
neutron side, ideas?

** Changed in: neutron
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2069149

Title:
  Designate DNS and SSLError 524297

Status in neutron:
  Opinion

Bug description:
  High level description
  Neutron can't delete a floating IP with a DNS entry in Designate when Designate endpoint is over HTTPS

  Pre-conditions/Environment
  Controller node (my-controller.example.com) with relevant packages for Ceilometer, Designate, Gnocchi, Heat, Nova, Placement. Designate is configured with WSGI and HTTPS, so API is shutdown.
  Network node (my-controller.example.com) with relevant packages for Neutron and OVS. Neutron also uses WSGI.

  Step-by-step reproduction steps
  Usage of dashboard or CLI is not relevant, result is the same.
  * Create a floating IP and with a DNS entry in OpenStack
  * Try to delete it, get an error

  Additional information
  - Created a token with 'openstack token issue', used it to manually interrogate Designate API with curl, got a valid answer
  - Downloaded certificate served by Designate (https://my-controller:9001) and manually verified it against Neutron's CA file with OpenSSL utilities. Checks are passed
  - The same certificate is used for multiple services such as Keystone (it is a SAN certificate) and Neutron can interrogate them successfully
  - Tried to set [designate]/insecure=true in neutron.conf on network node, restarted the services, seems to have no effect on the issue

  Expected output
  Floating IP is deleted, DNS entry is removed

  Actual output
  Neutron fails to delete the IP, reports this error. Full log attached.
  delete failed: No details.: keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://my-controller.example.com:9001/v2/zones?name=my-zone.cloud.example.com.: HTTPSConnectionPool(host='my-controller.example.com', port=9001): Max retries exceeded with url: /v2/zones?name=my-zone.cloud.example.com. (Caused by SSLError(SSLError(524297, '[SSL] PEM lib (_ssl.c:4065)')))

  
  Version:
    * OpenStack version - 2024.1 Caracal, RDO distribution
    * Linux distro, kernel - AlmaLinux 9.4, Linux 5.14.0-427.16.1.el9_4.x86_64;
    * Deployment mechanism - Puppet Openstack modules;

  Attachments
  Relevant neutron log at IP deletion attempt, sanitized from sensitive info

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2069149/+subscriptions

References

[Bug 2069149] [NEW] Designate DNS and SSLError 524297
From: Francesco Di Nucci, 2024-06-12