hook failed: "certificates-relation-changed" for vault:certificates due to SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_XXX' does not exist or is empty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
Critical
|
Frode Nordahl |
Bug Description
Steps to reproduce:
1. Deploy https:/
2. Add Vault and initialize according to https:/
3. Add certificate lifecycle management according to https:/
The Keystone charm will never finish the process.
In the logs you will find this:
2019-04-03 07:08:28 DEBUG certificates-
2019-04-03 07:08:28 DEBUG certificates-
2019-04-03 07:08:28 DEBUG certificates-
2019-04-03 07:08:28 DEBUG certificates-
2019-04-03 07:08:28 DEBUG certificates-
journalctl shows this:
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Failed to reset devices.list: Operation not permitted
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit apache2.service has begun start-up
-- Defined-By: systemd
-- Support: http://
--
-- Unit apache2.service has begun starting up.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: AH00526: Syntax error on line 8 of /etc/apache2/
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: SSLCertificateFile: file '/etc/apache2/
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: Action 'start' failed.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: The Apache error log may have more information.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Control process exited, code=exited status=1
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Failed with result 'exit-code'.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://
--
-- Unit apache2.service has failed.
--
-- The result is RESULT.
Manually starting apache2 will resolve the issue.
This appears to be a race condition where we attempt to (re)start the Apache process before the certificate data is written to disk.
Changed in charm-keystone: | |
assignee: | nobody → Frode Nordahl (fnordahl) |
Changed in charm-keystone: | |
status: | Triaged → In Progress |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
This appears to be happening only when the certificates relation is added post deploy.
I still think this is a critical issue though since following the referenced documentation lead you straight into this bug.
The issue can be consistently be reproduced and I'm working on adding a functional test to this effect along with a fix for the bug.