OpenStack Identity (keystone)

SSLTestCase errors when building Debian package

Bug #1435174 reported by Thomas Goirand
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Morgan Fainberg
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

Hi,

I get the bellow issues when building Keystone in Debian (Jessie chroot using sbuild). Help from the keystone team would be appreciate to resolve this. Cheers! :)

======================================================================
FAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_2way_ssl_with_ipv6_ok
----------------------------------------------------------------------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on ::1:0
(8731) wsgi starting up on https://::1:60772/
(8731) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 124, in test_2way_ssl_with_ipv6_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on ::1:0
(8731) wsgi starting up on https://::1:60772/
(8731) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 124, in test_2way_ssl_with_ipv6_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

======================================================================
FAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_1way_ssl_ok
----------------------------------------------------------------------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on 127.0.0.1:0
(8739) wsgi starting up on https://127.0.0.1:35201/
(8739) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 50, in test_1way_ssl_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on 127.0.0.1:0
(8739) wsgi starting up on https://127.0.0.1:35201/
(8739) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 50, in test_1way_ssl_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

======================================================================
FAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_1way_ssl_with_ipv6_ok
----------------------------------------------------------------------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on ::1:0
(8737) wsgi starting up on https://::1:57388/
(8737) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 97, in test_1way_ssl_with_ipv6_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on ::1:0
(8737) wsgi starting up on https://::1:57388/
(8737) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 97, in test_1way_ssl_with_ipv6_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

======================================================================
FAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_2way_ssl_ok
----------------------------------------------------------------------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on 127.0.0.1:0
(8737) wsgi starting up on https://127.0.0.1:50075/
(8737) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 74, in test_2way_ssl_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Traceback (most recent call last):
_StringException: Empty attachments:
  pythonlogging:''-1
  stderr
  stdout

pythonlogging:'': {{{
Adding cache-proxy 'keystone.tests.unit.test_cache.CacheIsolatingProxy' to backend.
KVS region configuration for os-revoke-driver: {'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.lock_timeout': 6, 'keystone.kvs.backend': 'openstack.kvs.Memory'}
Using default dogpile sha1_mangle_key as KVS region os-revoke-driver key_mangler
Starting /usr/lib/python2.7/dist-packages/subunit/run.py on 127.0.0.1:0
(8737) wsgi starting up on https://127.0.0.1:50075/
(8737) wsgi exited, is_accepting=True
}}}

Traceback (most recent call last):
  File "/«PKGBUILDDIR»/keystone/tests/unit/test_ssl.py", line 74, in test_2way_ssl_ok
    conn.request('GET', '/')
  File "/usr/lib/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 64, in __init__
    ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 237, in do_handshake
    super(GreenSSLSocket, self).do_handshake)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 109, in _call_trampolining
    return func(*a, **kw)
  File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Ran 5280 tests in 267.908s

FAILED (failures=4)

Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-rc1
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Steve Martinelli (stevemar) wrote :

Might be related to: https://bugs.launchpad.net/cinder/+bug/1403068 and https://review.openstack.org/#/c/144988/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/171001

Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/171001
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d4a6db158e3118181ae9d96a03832c49ff8998f
Submitter: Jenkins
Branch: master

commit 1d4a6db158e3118181ae9d96a03832c49ff8998f
Author: Morgan Fainberg <email address hidden>
Date: Mon Apr 6 15:41:29 2015 -0700

    Skip SSL tests because some platforms do not enable SSLv3

    For "damned good security reasons" (POODLE) some platforms have
    patched out SSLv3 from OpenSSL. Because Evenetlet cannot be configured
    for specific versions (or ciphers) and httplib is extremely limited,
    the tests for SSL have been explicitly skipped. These tests should
    be potentially re-enabled in the functional suite for SSL terminated
    endpoints.

    This comes back to "do not terminate SSL in the eventlet wsgi" that
    was determined in bug 1381365.

    Change-Id: Ic4b446ceee9034de5b6530c2d79d798a903fcbbf
    Related-Bug: #1381365
    Closes-Bug: #1435174

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.