Openstack high availability using self-signed certificate - openstack

I am working on building an openstack high availability infrastructure using pcs, corosync, self-signed certificate and haproxy.
I have successfully implemented up to keystone without the self-signed certificate. However when I installed the certificate, I get the error below, I have searched the internet based on the errors received but found nothing.
The link below was used to generate the certificate:
https://ubuntu.com/server/docs/security-certificates#generating-a-csr
openstack user list
Failed to discover available identity versions when contacting https://VIP-hostname:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://VIP-hostname:5000/v3/auth/tokens: HTTPSConnectionPool(host='VIP-hostname', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:997)')))
Any help will be highly appreciated.
Thank you

Related

The SSL connection could not be established

I am using a third party library (MinIo dotnet SDK) in my .NET application. I successfully send the requests on the localhost, but at the time of publish on the IIS server, the requests are met with the following error.
MinIO API responded with message=Connection error:The SSL connection could not be established, see inner exception.. Status code=0, response=The SSL connection could not be established, see inner exception., content=
Same problem here this week.
We had to install the (root) certificate we used for our minio/S3 server on the machine we ran our application on.
If you don't want to use SSL, you have to use MinioClient.WithSsl(false).

Authentication failed because the remote party sent a TLS alert when invoking a 3rd party API

I have a Blazor Server Application that is invoking a 3rd party API using IHttpClientFactory. When I execute the calling code on my local Windows 11 machine I receive the exception below. However, If I run the same code from an Azure Web App, the API is called successfully.
Error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: '112'.
I have attempted setting the Security protocol to TLS1.2 using the ServicePointManager, however, this does not make a difference. I have run Wireshark to glean some additional information, but all I can see is that my machine is initiating the call with TLS 1.2.
Does anyone have an idea as to why my code works in Azure, but not in my local development environment?
According to the behavior in azure web app, I think the issue should related to environment.
And if you have another os version pc, you can test it, and it should be work normally.
And I found the workaround in win11. You can add the registry key and removed the code to set the protocol to TLS1.2, and the TLS handshake worked from your Windows 11 system.

unable to send API request to Solana devnet

I'm doing the following tutorial of creating tokens on Solana.
https://spl.solana.com/token
and it seems that all requests to Solana devnet are failing
$spl-token create-token
Creating token 2rxgzZ1tk692aZJXDz8NhTkVXQWB396Z3L21nTUYWCFi
error sending request for url (https://api.devnet.solana.com/): error trying to connect: invalid certificate: UnknownIssuer
I'm not so much of an expert when it comes to network, but i thought it was permission issue in firewall as I am currently working on this in corporate environment.
but as I tested with telnet, it doens't seem like a firewall issue
147.28.33.107 is an IP address of Solana devenet network.
telnet 147.28.33.107 80
I have the similar problem but I sorted out by specifying the path to my-keypair.json.

API request and Error in curl::curl_fetch_memory(url, handle = handle) : SSL certificate problem: certificate has expired

I was running the code for months without any issues, and couple days before.
GET(url="myurl", query)
Today I've got an error
Error in curl::curl_fetch_memory(url, handle = handle) :
SSL certificate problem: certificate has expired
The SSL cert on the site is active and ends in a year.
Also the same GET request is working via browser....
What is the issue? 🤷‍♂️
Try testing your server with this tool: https://www.ionos.com/tools/ssl-checker and see if it says that it is "not installed correctly".
If you find that it has been working historically but recently stopped, you likely have an invalid chain of trust. Recently, a common root CA certificate expired. Your server may be using this and sending it as part of it's chain of certificates it sends to clients. If that is the case, and it is this recently-expired root CA, your fix will most likely look like removing that root certificate from your bundle. So you'd include the intermediate certificates still, but exclude the root. You can then use these tools to revalidate if things are setup correctly.
You can also see the chain and some of the validity information using this tool: https://www.sslshopper.com/ssl-checker.html

Juju vault causing problems when deploying openstack/base on maas and charmed-kubernetes

I have deployed openstack/base on MaaS as indicated here. After I tried to deploy charmed-kubernetes with an openstack-integrator and vault overlay, I cannot perform openstackclient commands on the maas node and the images uploaded to the dashboard are not recognized, that means, the ubuntu charms cannot be deployed. When I do, for example,
openstack catalog list
I get
Failed to discover available identity versions when contacting https://keystone_ip:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://keystone_ip:5000/v3/auth/tokens: HTTPSConnectionPool(host='keystone_ip', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
However, when I ssh into the keystone container, there is a keystone_juju_ca_cert.crt which has as
Issuer: CN = Vault Root Certificate Authority (charm-pki-local)
and as
Subject: CN = Vault Root Certificate Authority (charm-pki-local)
I have also tried to reissue the certificates and refresh the secrets through actions in the vault application, but to no avail.
Can somobody help me here ?
I don't know anything about juju or openstack, but it looks to me like the problem isn't on the keystone container, but on your local machine (or wherever you are running this openstack catalog list command. The local machine doesn't appear to have the charm-pki-local CA certificate installed, so it can't verify the connection to the keystone server.
You need to get root ca from vault using juju and then reference that file in openrc file as OS_CACERT environment variable

Resources