Mirantis OpenStack

"openstack network list" fails with "An SSL error occurred."

Bug #1613679 reported by Krzysztof Franckowski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Medium
Boris Bobrov
Mirantis OpenStack 9.1

Bug Description

A customer reports:

"Commands like:
openstack quota show d6f54316f1df417fbef9ec3cbac763e3
Are failing, with:
"An SSL error occurred".
The executed analysis reveals the following facts:
REQ: curl -g -i --cacert "/etc/ssl/certs/CEE/ctrl-ca.crt" -X GET http://<URL>:35357/v2.0/tenants/<ID> 3 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<TOKEN>"

REQ: curl -g -i -X GET https://public.fuel.local:9696/v2.0/quotas/d6f54316f1df417fbef9ec3cbac <*****> -H "User-Agent: openstacksdk/0.8.2 keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6" -H "X-Auth-Token: SHA1}<TOKEN>"

The issue can be track down to:
/usr/lib/python2.7/dist-packages/openstack/resource.py , line #615:
response = session.get(url, endpoint_filter=cls.service) response = session.get(url, endpoint_filter=cls.service, verify='/etc/ssl/certs/CEE/ctrl-ca.crt')

Our design was to trust only certificates which were provided by the user explicitely for the cloud so we deliberately selected a non-default CAcert location, however as currently we trust these CAs rather than only the NBI certs we're halfway there.

This issue seems to be fixed by: https://review.openstack.org/303472 [-> bug/1560157 (https://bugs.launchpad.net/python-openstackclient/+bug/1560157)]
"

It seems that the problem is also related to similar issue:

openstack --debug network list
SDKException: An SSL error occurred.
END return value: 1
The above bug is fixed in https://review.openstack.org/#/c/303472/ and released in 2.4 version

Tags: 9.0 mos sla2
Revision history for this message
Boris Bobrov (bbobrov) wrote :

MOS 9.0

Changed in mos:
assignee: nobody → Boris Bobrov (bbobrov)
status: New → Confirmed
Revision history for this message
Boris Bobrov (bbobrov) wrote :

Being fixed in https://review.fuel-infra.org/#/c/25071/

Revision history for this message
Alexander Rubtsov (arubtsov) wrote :

sla2 for 9.0-updates

tags: added: sla2
Revision history for this message
Boris Bobrov (bbobrov) wrote :

Fixed

Changed in mos:
milestone: none → 9.1
status: Confirmed → Fix Committed
Timur Nurlygayanov (tnurlygayanov)
Changed in mos:
importance: Undecided → Medium
Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

root@node-4:~# openstack network list
+--------------------------------------+--------------------+--------------------------------------+
| ID | Name | Subnets |
 +--------------------------------------+--------------------+--------------------------------------+
| 3f1152ff-56bb-4c8e-9ae1-5c1707bfbff1 | admin_floating_net | 22ca4f2d-a472-4c32-b53c-5d4563479e3c |
| 71b80cb5-dc9f-4b96-949a-c7194b62466d | admin_internal_net | 443d8925-1ec5-4cef-8003-3f85a348282a |
 +--------------------------------------+--------------------+--------------------------------------+

root@node-4:~# openstack quota show 460d32aa023345a082f7f0e5389bd359
+------------------------+----------------------------------+
| Field | Value |
 +------------------------+----------------------------------+
| backup_gigabytes | 1000 |
| backups | 10 |
| cores | 100 |
| fixed-ips | -1 |
| floating-ips | 50 |
| gigabytes | 1000 |
| gigabytes_volumes_ceph | -1 |
| injected-file-size | 102400 |
| injected-files | 50 |
| injected-path-size | 4096 |
| instances | 100 |
| key-pairs | 10 |
| network | 10 |
| per_volume_gigabytes | -1 |
| port | 50 |
| project | 460d32aa023345a082f7f0e5389bd359 |
| properties | 1024 |
| ram | 51200 |
| rbac_policy | 10 |
| router | 10 |
| secgroup-rules | 100 |
| secgroups | 10 |
| server_group_members | 10 |
| server_groups | 10 |
| snapshots | 10 |
| snapshots_volumes_ceph | -1 |
| subnet | 10 |
| subnetpool | -1 |
| volumes | 10 |
| volumes_volumes_ceph | -1 |
 +------------------------+----------------------------------+

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

The verification is blocked by https://bugs.launchpad.net/fuel/+bug/1620526

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

It works on environments with ssl:

root@node-1:~# openstack network list
+--------------------------------------+--------------------+--------------------------------------+
| ID | Name | Subnets |
 +--------------------------------------+--------------------+--------------------------------------+
| bb297d0c-cccc-4fca-b7f9-80dd0513dd6f | admin_floating_net | 4d03ebf4-08d6-4a74-b99f-51706bdfab40 |
| ea19c061-ae0e-4d36-b4ef-f3795ae4b41f | admin_internal_net | 665fdc9f-eccb-458a-a1cb-a1286a452362 |
 +--------------------------------------+--------------------+--------------------------------------+

and without ssl too (see my previous comment).

Status changed to Fix Released.

Changed in mos:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.