kolla

self-signed certificates don't function with keystone

Bug #1553577 reported by Steven Dake
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Invalid
Low
Dave McCowan
kolla mitaka-rc2 "mitaka-rc2"

Bug Description

I can access horizon via chrome, although the certificate chain is untrusted.

However, if I try to access keystone I receive the following error:
STDAKE-M-J2VL:demo sdake$ keystone user-list

/usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/local/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:145: DeprecationWarning: Constructing an instance of the keystoneclient.v2_0.client.Client class without a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
/usr/local/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:147: DeprecationWarning: Using the 'tenant_name' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_name' argument instead
  super(Client, self).__init__(**kwargs)
/usr/local/lib/python2.7/site-packages/debtcollector/renames.py:43: DeprecationWarning: Using the 'tenant_id' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_id' argument instead
  return f(*args, **kwargs)
/usr/local/lib/python2.7/site-packages/keystoneclient/httpclient.py:376: DeprecationWarning: Constructing an HTTPClient instance without using a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
Authorization Failed: SSL exception connecting to https://broked.selfip.net:5000/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I then run with the --insecure flag to turn off certification validation and receive the following:

STDAKE-M-J2VL:demo sdake$ keystone --insecure user-list

/usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/local/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:145: DeprecationWarning: Constructing an instance of the keystoneclient.v2_0.client.Client class without a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
/usr/local/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:147: DeprecationWarning: Using the 'tenant_name' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_name' argument instead
  super(Client, self).__init__(**kwargs)
/usr/local/lib/python2.7/site-packages/debtcollector/renames.py:43: DeprecationWarning: Using the 'tenant_id' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_id' argument instead
  return f(*args, **kwargs)
/usr/local/lib/python2.7/site-packages/keystoneclient/httpclient.py:376: DeprecationWarning: Constructing an HTTPClient instance without using a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Authorization Failed: The resource could not be found. (HTTP 404)
STDAKE-M-J2VL:demo sdake$

I am running a NAT. I tried hacking the .cnf file defaults file to force my NAT ip address into the SSL certificate, but that didn't seem to work. I ran the following operations:
[11:47:38] <dave-mccowan> kolla-ansible certificates
[11:48:28] <dave-mccowan> kolla_enable_tls_external=yes
[11:48:48] <dave-mccowan> kolla-ansible deploy
[11:49:02] <dave-mccowan> (you also need two vips)

my 149 address is my external VIP and is where my NAT forwards to. my 148 address is my internal VIP. The internal VIP appears to work because horizon would not be functional if it were not.

Help appreciated on the getting keystone to either ignore or trust my unsigned certificate.

Steven Dake (sdake)
Changed in kolla:
status: New → Triaged
importance: Undecided → High
milestone: none → mitaka-rc1
assignee: nobody → Dave McCowan (dave-mccowan)
Dave McCowan (dave-mccowan)
Changed in kolla:
status: Triaged → Invalid
Revision history for this message
Dave McCowan (dave-mccowan) wrote :

The kolla-ansible playbook to generate certificates is for develop's convenience only.
The self-signed certificates that it generates will rightly generate warnings.
For deployments, operators will want to get their own certificates from a CA.
For developers, they can use the generated self-signed CAs, but need to setup their openrc files as shown in tools/openrc-example and copy the CA certificate file to their client server.

Revision history for this message
Steven Dake (sdake) wrote :

Dave,

Documentation will fix this misunderstanding. If you don't want to write the docs, unassign yourself and I'll either do it or find someone who will :)

Thanks
-steve

Changed in kolla:
status: Invalid → Confirmed
importance: High → Low
Revision history for this message
Steven Dake (sdake) wrote :

Dave either me or you are in the best position to document this, since we both understand how it works. LMK what you want to do.

Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-rc1 → mitaka-rc2
Revision history for this message
Sam Yaple (s8m) wrote :

sdake you should not be using the keystone client at all (see the big deprecated warning). The openstack client works fine in this situation and this is all already documented in two locations in our documentation.

Changed in kolla:
status: Confirmed → Invalid
Revision history for this message
Dave McCowan (dave-mccowan) wrote :

The keystone CLI doesn't do version discovery.
If you set OS_AUTH_URL to https://<yourIP>:5000/v2.0, the keystone CLI will work today (with or without TLS), but since it is deprecated it's better to use openstack CLI.

To verify, run with the --debug flag on keystone, or -v flag on openstack, to see client/server exchange.

Revision history for this message
Steven Dake (sdake) wrote :

Yes Sam I know python-keystoneclient doesn't even work at all. The key point of this bug is to document how to use TLS, not how to not use python-keystoneclient.

Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-rc2 → mitaka-rc3
milestone: mitaka-rc3 → mitaka-rc2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.