murano --os-cacert (OS_CACERT) option does not work

Suggested changes (disable ca-file option at all replacing it by os-cacert):

--- common/http.py.orig 2015-08-21 13:38:41.885823197 +0000
+++ common/http.py 2015-08-21 13:56:29.271491786 +0000
@@ -66,7 +66,7 @@
         self.timeout = kwargs.get('timeout')

         self.ssl_connection_params = {
- 'ca_file': kwargs.get('ca_file'),
+ 'cacert': kwargs.get('cacert'),
             'cert_file': kwargs.get('cert_file'),
             'key_file': kwargs.get('key_file'),
             'insecure': kwargs.get('insecure'),
@@ -77,7 +77,7 @@
             if kwargs.get('insecure'):
                 self.verify_cert = False
             else:
- self.verify_cert = kwargs.get('ca_file', get_system_ca_file())
+ self.verify_cert = kwargs.get('cacert', get_system_ca_file())

     def log_curl_request(self, method, url, kwargs):
         curl = ['curl -i -X %s' % method]
@@ -90,7 +90,7 @@
         conn_params_fmt = [
             ('key_file', '--key %s'),
             ('cert_file', '--cert %s'),
- ('ca_file', '--cacert %s'),
+ ('cacert', '--cacert %s'),
         ]
         for (key, fmt) in conn_params_fmt:
             value = self.ssl_connection_params.get(key)

And:
--- shell.py.orig 2015-08-21 14:00:55.479898082 +0000
+++ shell.py 2015-08-21 14:06:52.281803726 +0000
@@ -86,12 +86,6 @@
                                  ' This option is not necessary if your '
                                  'key is prepended to your cert file.')

- parser.add_argument('--ca-file',
- help='Path of CA SSL certificate(s) used to verify'
- ' the remote server certificate. Without '
- 'this option glance looks for the default '
- 'system CA certificates.')
-
         parser.add_argument('--api-timeout',
                             help='Number of seconds to wait for an '
                                  'API response, '
@@ -324,7 +318,7 @@
             kwargs = {
                 'token': token,
                 'insecure': args.insecure,
- 'ca_file': args.ca_file,
+ 'cacert': args.os_cacert,
                 'cert_file': args.cert_file,
                 'key_file': args.key_file,
                 'username': args.os_username,

--- tests/test_common_http.py.orig 2015-08-21 14:08:19.467246759 +0000
+++ tests/test_common_http.py 2015-08-21 14:17:24.004259346 +0000
@@ -448,7 +448,7 @@
         self.assertFalse(client.verify_cert)

     def test_passed_cert_to_verify_cert(self, mock_request):
- client = http.HTTPClient('https://foo', ca_file="NOWHERE")
+ client = http.HTTPClient('https://foo', cacert="NOWHERE")
         self.assertEqual("NOWHERE", client.verify_cert)

         with mock.patch('muranoclient.common.http.get_system_ca_file') as gsf:

After that changes murano CLI works as other openstack services:
# echo $OS_CACERT
/etc/haproxy/ca.pem

# murano environment-list
+----+------+---------+---------+
| ID | Name | Created | Updated |
+----+------+---------+---------+
+----+------+---------+---------+

# unset OS_CACERT
# echo $OS_CACERT

# murano environment-list
Error communicating with https://10.135.165.21:8082 [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# murano --os-cacert /etc/haproxy/ca.pem environment-list
+----+------+---------+---------+
| ID | Name | Created | Updated |
+----+------+---------+---------+
+----+------+---------+---------+

Andrey, cool, thank you fro this suggestion!
Could you please make a commit with the fix? If no, I will do this :)

Please notice that it's customer found issue and we need to have backport for MOS 6.0

Hi, here is the fix for master branch:

https://review.openstack.org/216148

Alexander, could you please specify the version of MOs which should have back-port for this bug in python Murano client?

Timur,

The MOS version for backporting is 6.0

Reviewed: https://review.openstack.org/216148
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=1141dd59aff141bee6618806a4496b57c214c7c1
Submitter: Jenkins
Branch: master

commit 1141dd59aff141bee6618806a4496b57c214c7c1
Author: Timur Nurlygayanov <email address hidden>
Date: Mon Aug 24 11:32:04 2015 +0300

    Fixed issue with cacert parameter

    We need to use parameter cacert instead of ca_file parameter
    to work with CA certificates like python clients for other
    OpenStack services.

    Also fixed typo (after copy paste from Glance code).

    Change-Id: Ibe36390aab2f2edb0fe7670f76f61caeb350d34b
    Closes-Bug: #1487099

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/245144

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/245147

Change abandoned by Kirill Zaitsev (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/245147
Reason: juno is no longer supported

Reviewed: https://review.openstack.org/245144
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=5670a3838dfc67797c85612194f02be7ba86b5e4
Submitter: Jenkins
Branch: stable/kilo

commit 5670a3838dfc67797c85612194f02be7ba86b5e4
Author: Timur Nurlygayanov <email address hidden>
Date: Mon Aug 24 11:32:04 2015 +0300

    Fixed issue with cacert parameter

    We need to use parameter cacert instead of ca_file parameter
    to work with CA certificates like python clients for other
    OpenStack services.

    Also fixed typo (after copy paste from Glance code).

    (cherry picked from commit 1141dd59aff141bee6618806a4496b57c214c7c1)

    Change-Id: Ibe36390aab2f2edb0fe7670f76f61caeb350d34b
    Closes-Bug: #1487099

This issue was fixed in the openstack/python-muranoclient 0.5.10 release.

This issue was fixed in the openstack/python-muranoclient 0.5.10 release.