[Bug 2137179] [NEW] Trove fails to authenticate with Keystone when using self-signed certificates

hamid lotfi Sat, 27 Dec 2025 21:35:37 -0800

Public bug reported:

When Trove attempts to create a Keystone session using service credentials,
The SSL verification options defined under [keystone_authtoken] are ignored.


As a result, Trove fails to authenticate against Keystone deployments that use
self-signed certificates or private CAs, producing SSL verification errors
similar to the following:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in the certificate chain

This happens because get_keystone_session() creates a keystoneauth1 Session
without passing the 'verify' parameter, so keystone_authtoken.insecure and
keystone_authtoken.cafile settings are not honored.

Other OpenStack services explicitly propagate these SSL-related options when
creating Keystone sessions.

Steps to Reproduce:
1. Deploy Keystone with a self-signed certificate or private CA.
2. Configure Trove to use Keystone v3 authentication.
3. Set keystone_authtoken.insecure = true
   OR configure keystone_authtoken.cafile.
4. Start Trove services.
5. Observe Trove failing to authenticate with Keystone.

Expected Result:
Trove should respect keystone_authtoken.insecure and keystone_authtoken.cafile
settings when establishing a Keystone session.


Actual Result:
Trove fails with SSL certificate verification errors.

Proposed Fix:
Pass the SSL verification options derived from keystone_authtoken.insecure
and keystone_authtoken.cafile into keystoneauth1.session.Session()
when creating the Keystone session.


Affects:
- Trove (all supported releases)


This issue affects deployments using internal or private PKI setups,
which are common in production OpenStack environments.

** Affects: openstack-trove (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2137179

Title:
  Trove fails to authenticate with Keystone when using self-signed
  certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2137179/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2137179] [NEW] Trove fails to authenticate with Keystone when using self-signed certificates

Reply via email to