OpenStack Clients Snap

Manila rally tests fail when using a cacert.

Bug #1936824 reported by Marcelo Subtil Marcal
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Clients Snap
Invalid
Undecided
Unassigned

Bug Description

It seems to be happening because FCE is using the snap openstack client:

# snap client:

$ /snap/bin/openstack share list
HTTPSConnectionPool(host='[REDACTED]', port=8786): Max retries exceeded with url: /v2/623996b41af44b2693dd5f231a6b812a/shares/detail (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

# deb client

$ openstack share list
<NO ERROR OR WARNING IS SHOWN>

# manila command

$ manila list
/usr/lib/python3/dist-packages/urllib3/connection.py:391: SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(
/usr/lib/python3/dist-packages/urllib3/connection.py:391: SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(
/usr/lib/python3/dist-packages/urllib3/connection.py:391: SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(
/usr/lib/python3/dist-packages/urllib3/connection.py:391: SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(
+----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
| ID | Name | Size | Share Proto | Status | Is Public | Share Type Name | Host | Availability Zone |
+----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
+----+------+------+-------------+--------+-----------+-----------------+------+-------------------+

Revision history for this message
Marcelo Subtil Marcal (msmarcal) wrote :

Subscribed field-high

Revision history for this message
Marcelo Subtil Marcal (msmarcal) wrote :

Also tried to add the cacert to snap but, with no success:

snap set system store-certs.cert1="$(cat /path/to/cacert)"

Revision history for this message
Billy Olsen (billy-olsen) wrote :

The last update for the openstackclients snap includes the ability to use the system provided certs [0]. Are the certs installed into the local system which is being used for the test?

[0] - https://opendev.org/x/snap-openstackclients/commit/79de448e28cbcac747bc88811536466da6681165

Changed in snap-openstackclients:
status: New → Incomplete
Revision history for this message
Jeff Hillman (jhillman) wrote : Re: [Bug 1936824] Re: Manila rally tests fail when using a cacert.
Download full text (3.2 KiB)

Yes.

On Mon, Aug 16, 2021, 8:20 PM Billy Olsen <email address hidden>
wrote:

> The last update for the openstackclients snap includes the ability to
> use the system provided certs [0]. Are the certs installed into the
> local system which is being used for the test?
>
> [0] - https://opendev.org/x/snap-
> openstackclients/commit/79de448e28cbcac747bc88811536466da6681165
>
> ** Changed in: snap-openstackclients
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1936824
>
> Title:
> Manila rally tests fail when using a cacert.
>
> Status in OpenStack Clients Snap:
> Incomplete
>
> Bug description:
> It seems to be happening because FCE is using the snap openstack
> client:
>
> # snap client:
>
> $ /snap/bin/openstack share list
> HTTPSConnectionPool(host='[REDACTED]', port=8786): Max retries exceeded
> with url: /v2/623996b41af44b2693dd5f231a6b812a/shares/detail (Caused by
> SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
> failed (_ssl.c:852)'),))
>
> # deb client
>
> $ openstack share list
> <NO ERROR OR WARNING IS SHOWN>
>
> # manila command
>
> $ manila list
> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
> falling back to check for a `commonName` for now. This feature is being
> removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/urllib3/urllib3/issues/497 for details.)
> warnings.warn(
> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
> falling back to check for a `commonName` for now. This feature is being
> removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/urllib3/urllib3/issues/497 for details.)
> warnings.warn(
> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
> falling back to check for a `commonName` for now. This feature is being
> removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/urllib3/urllib3/issues/497 for details.)
> warnings.warn(
> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
> falling back to check for a `commonName` for now. This feature is being
> removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/urllib3/urllib3/issues/497 for details.)
> warnings.warn(
>
> +----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
> | ID | Name | Size | Share Proto | Status | Is Public | Share Type Name
> | Host | Availability Zone |
>
> +----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
>
> +----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/snap-openstackclients/+b...

Read more...

Revision history for this message
Jeff Hillman (jhillman) wrote :
Download full text (3.4 KiB)

Fcbtest snap appears to have it's own openstack client

On Mon, Aug 16, 2021, 8:21 PM Jeff Hillman <email address hidden>
wrote:

> Yes.
>
> On Mon, Aug 16, 2021, 8:20 PM Billy Olsen <email address hidden>
> wrote:
>
>> The last update for the openstackclients snap includes the ability to
>> use the system provided certs [0]. Are the certs installed into the
>> local system which is being used for the test?
>>
>> [0] - https://opendev.org/x/snap-
>> openstackclients/commit/79de448e28cbcac747bc88811536466da6681165
>>
>> ** Changed in: snap-openstackclients
>> Status: New => Incomplete
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1936824
>>
>> Title:
>> Manila rally tests fail when using a cacert.
>>
>> Status in OpenStack Clients Snap:
>> Incomplete
>>
>> Bug description:
>> It seems to be happening because FCE is using the snap openstack
>> client:
>>
>> # snap client:
>>
>> $ /snap/bin/openstack share list
>> HTTPSConnectionPool(host='[REDACTED]', port=8786): Max retries exceeded
>> with url: /v2/623996b41af44b2693dd5f231a6b812a/shares/detail (Caused by
>> SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
>> failed (_ssl.c:852)'),))
>>
>> # deb client
>>
>> $ openstack share list
>> <NO ERROR OR WARNING IS SHOWN>
>>
>> # manila command
>>
>> $ manila list
>> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
>> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
>> falling back to check for a `commonName` for now. This feature is being
>> removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/urllib3/urllib3/issues/497 for details.)
>> warnings.warn(
>> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
>> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
>> falling back to check for a `commonName` for now. This feature is being
>> removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/urllib3/urllib3/issues/497 for details.)
>> warnings.warn(
>> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
>> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
>> falling back to check for a `commonName` for now. This feature is being
>> removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/urllib3/urllib3/issues/497 for details.)
>> warnings.warn(
>> /usr/lib/python3/dist-packages/urllib3/connection.py:391:
>> SubjectAltNameWarning: Certificate for [REDACTED] has no `subjectAltName`,
>> falling back to check for a `commonName` for now. This feature is being
>> removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/urllib3/urllib3/issues/497 for details.)
>> warnings.warn(
>>
>> +----+------+------+-------------+--------+-----------+-----------------+------+-------------------+
>> | ID | Name | Size | Share Proto | Status | Is Public | Share Type Name
>> | Host | Availability Zone |
>>
>> +----+------+------+-------------+--------+-----------+-----------------+------+----------------...

Read more...

Revision history for this message
James Page (james-page) wrote :

"Fcbtest snap appears to have it's own openstack client"

OK so it sounds like that snap needs the same updates as the main openstackclients snap has had to allow access to system CA certs.

Marking this bug as Invalid.

Changed in snap-openstackclients:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.