** Description changed: + + [IMPACT] + + Crticial. Enabling SSL for services in the Keystone catalog does not + function with certain types of certificates, eg wild card certificates. + + [TESTCASE] + + Put services in the keystone catalog behind a service that termintaes + SSL with wild card certificates, and the client will receive SSL errors. + + [Regression Potential] + + Minimal. The one-line patch simply fixes the argument handling of the + Keystone client to ensure SSL connection work correctly in all cases. + + Hi guys, I've successfully deployed and tested keystone and wanted to stick some SSL in front of it. I used the nginx puppet module provided here https://github.com/NeCTAR-RC/puppet-nginx and seemed to successfully deploy the module. I've updated all my endpoints to be https:// and also updated my "auth.rc" file for the same. When I run "keystone user-list" I get the following error Unable to communicate with identity service: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib. (HTTP 400) When I run "keystone --insecure user-list" I get the correct output, so I know the SSL is working ok and I'm affected by a verification issue. Same when using keystone-init: # ./keystone-init.py config.yaml No handlers could be found for logger "keystoneclient.client" Traceback (most recent call last): - File "./keystone-init.py", line 97, in <module> - configure_keystone(config) - File "./keystone-init.py", line 28, in configure_keystone - default_tenant = create_default_tenant(keystone, config) - File "./keystone-init.py", line 43, in create_default_tenant - enabled=True) - File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/tenants.py", line 83, in create - return self._create('/tenants', params, "tenant") - File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 82, in _create - resp, body = self.api.post(url, body=body) - File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 174, in post - return self._cs_request(url, 'POST', **kwargs) - File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 155, in _cs_request - **kwargs) - File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 135, in request - raise exceptions.from_response(resp, body) + File "./keystone-init.py", line 97, in <module> + configure_keystone(config) + File "./keystone-init.py", line 28, in configure_keystone + default_tenant = create_default_tenant(keystone, config) + File "./keystone-init.py", line 43, in create_default_tenant + enabled=True) + File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/tenants.py", line 83, in create + return self._create('/tenants', params, "tenant") + File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 82, in _create + resp, body = self.api.post(url, body=body) + File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 174, in post + return self._cs_request(url, 'POST', **kwargs) + File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 155, in _cs_request + **kwargs) + File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 135, in request + raise exceptions.from_response(resp, body) keystoneclient.exceptions.BadRequest: Unable to communicate with identity service: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. (HTTP 400) ...and if I modify keystone-init.py to add insecure=True to the client call, it works fine. However this is where I'm stumped, as the certificate I'm using is a wildcard *.example.com style certificate, and it works on all the other services (email, apache, etc) which deploy it for. I also note that if I point my browser to https://keystone- int.example.com:5000 that my Mozilla claims the certificate is correctly verified by our provider (GoDaddy). I'd really like a better understanding of why the keystoneclient thinks my cert isn't verified when Firefox is fine with it. As far as I can see, the GoDaddy certs are present in both /etc/ssl/certs as well as in the cacerts.txt file of python-httplib2 and I added our private key into /etc/ssl/private. So it would be unlikely that we are missing an intermediate certificate. Using --insecure is all well and good for the CLI, but what about the keystone stuff in swift, nova and and glance? Will I have to specify insecure everywhere and ask our clients to use --insecure? Would really appreciate some help around this issue as it's a major roadblock to moving forward.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1064835 Title: [SRU] keystoneclient fails on SSL certificates that work for other services To manage notifications about this bug go to: https://bugs.launchpad.net/python-keystoneclient/+bug/1064835/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
