VIO LDAP configuration fails with the error: Task execution failed
Article ID: 340373
Updated On:
Products
VMware
VMware Integrated OpenStack
Issue/Introduction
Symptoms:
- Configuring LDAP authentication in the VMware Integrated OpenStack Plugin UI fails with the error:
Task execution failed: Task failed on the following nodes: ['<Controller-VM-IP>', '<Controller-VM-IP>']. Refer logs for more details.
- In the /var/log/jarvis/ansible.log file on the OpenStack Management Server (OMS), you see entries similar to:
2017-07-03 20:39:56,554 p=8210 u=jarvis | TASK: [keystone | copy the LDAP certificates to keystone and ca-certificates] ***
2017-07-03 20:39:57,043 p=8210 u=jarvis | failed: [192.168.110.157] => (item=/etc/keystone/ssl/certs) => {"changed": true, "cmd": "cp /tmp/certs/* \"/etc/keystone/ssl/certs\"", "delta": "0:00:00.172060", "end": "2017-07-03 20:37:31.732914", "item": "/etc/keystone/ssl/certs", "rc": 1, "start": "2017-07-03 20:37:31.560854", "warnings": []}
2017-07-03 20:39:57,044 p=8210 u=jarvis | stderr: cp: cannot stat <E2><80><98>/tmp/certs/*<E2><80><99>: No such file or directory
2017-07-03 20:39:57,047 p=8210 u=jarvis | failed: [192.168.110.158] => (item=/etc/keystone/ssl/certs) => {"changed": true, "cmd": "cp /tmp/certs/* \"/etc/keystone/ssl/certs\"", "delta": "0:00:00.237841", "end": "2017-07-03 20:39:57.027701", "item": "/etc/keystone/ssl/certs", "rc": 1, "start": "2017-07-03 20:39:56.789860", "warnings": []}
2017-07-03 20:39:57,048 p=8210 u=jarvis | stderr: cp: cannot stat <E2><80><98>/tmp/certs/*<E2><80><99>: No such file or directory
2017-07-03 20:39:57,248 p=8210 u=jarvis | failed: [192.168.110.158] => (item=/usr/local/share/ca-certificates) => {"changed": true, "cmd": "cp /tmp/certs/* \"/usr/local/share/ca-certificates\"", "delta": "0:00:00.017487", "end": "2017-07-03 20:39:57.232547", "item": "/usr/local/share/ca-certificates", "rc": 1, "start": "2017-07-03 20:39:57.215060", "warnings": []}
2017-07-03 20:39:57,248 p=8210 u=jarvis | stderr: cp: cannot stat <E2><80><98>/tmp/certs/*<E2><80><99>: No such file or directory
2017-07-03 20:39:57,306 p=8210 u=jarvis | failed: [192.168.110.157] => (item=/usr/local/share/ca-certificates) => {"changed": true, "cmd": "cp /tmp/certs/* \"/usr/local/share/ca-certificates\"", "delta": "0:00:00.029702", "end": "2017-07-03 20:37:31.990016", "item": "/usr/local/share/ca-certificates", "rc": 1, "start": "2017-07-03 20:37:31.960314", "warnings": []}
2017-07-03 20:39:57,306 p=8210 u=jarvis | stderr: cp: cannot stat <E2><80><98>/tmp/certs/*<E2><80><99>: No such file or directory
2017-07-03 20:39:57,330 p=8210 u=jarvis | FATAL: all hosts have already failed -- aborting
Environment
VMware Integrated OpenStack 3.1.x
VMware Integrated OpenStack 3.0.x
VMware Integrated OpenStack 3.0.x
Cause
This issue occurs because the CA certificate from the LDAP configuration does not have the subject name which causes the validation and copy to fail.
Resolution
To resolve this issue:
- Log in to the OMS through SSH as viouser.
- Validate that the LDAP certificate does not have a subject by running this command:
sudo viocli show -i | grep "ldap_certificate" | awk -F ' ' '{print $3}' | base64 -d | openssl x509 -noout -subject
For example:- If LDAP certificate does not have a subject, you output similar to:
viouser@oms:~$ sudo viocli show -i | grep "ldap_certificate" | awk -F ' ' '{print $3}' | base64 -d | openssl x509 -noout -subject
[sudo] password for viouser:
subject=
- If LDAP certificate has a subject, you output similar to:
viouser@oms:~$ sudo viocli show -i | grep "ldap_certificate" | awk -F ' ' '{print $3}' | base64 -d | openssl x509 -noout -subject
[sudo] password for viouser:
subject= /DC=local/DC=corp/CN=CONTROLCENTER-CA
- If LDAP certificate does not have a subject, you output similar to:
- If CA does not have a subject name, you must add a new certificate with subject name and use this CA.
Feedback
Yes
No
Powered by
