update-ca-certificates should be used with --fresh when changing trusted_ssl_ca
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-openstack-service-checks |
Fix Released
|
Undecided
|
Chi Wai CHAN |
Bug Description
Performing a clean deployment o-s-c with an incorrect `trusted_ssl_ca`, for example, an empty input or a combined certificates, the `update-
```
/etc/ssl/certs$ ls -l | grep openstack-
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-
```
Further re-configuring `trusted_ssl_ca` will not create the missing link because the charm runs `update-
```
/etc/ssl/certs$ sudo update-
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-
done.
/etc/ssl/certs$ sudo update-
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates
125 added, 0 removed; done.
Running hooks in /etc/ca-
done.
/etc/ssl/certs$ ls -l | grep openstack-
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-
/etc/ssl/certs$ ls -l | grep openstack-
lrwxrwxrwx 1 root root 28 Feb 22 09:21 8d2fba8c.0 -> openstack-
lrwxrwxrwx 1 root root 61 Feb 22 09:21 openstack-
```
Note, the missing symlink is important for `check_ssl_cert` to find the certificates and work properly. Also, see the attachment for complete stdout output.
Related branches
- Eric Chen: Approve
- 🤖 prod-jenkaas-bootstack: Approve (continuous-integration)
- JamesLin: Approve
- BootStack Reviewers: Pending requested
-
Diff: 68 lines (+10/-4)3 files modifiedsrc/README.md (+5/-2)
src/config.yaml (+4/-1)
src/reactive/openstack_service_checks.py (+1/-1)
tags: | added: bseng-935 |
Changed in charm-openstack-service-checks: | |
assignee: | nobody → Chi Wai CHAN (raychan96) |
status: | New → Fix Committed |
Changed in charm-openstack-service-checks: | |
milestone: | none → 23.04 |
Changed in charm-openstack-service-checks: | |
status: | Fix Committed → Fix Released |