MicroStack

Certificate verify failed on a fresh MicroStack installation

Bug #1949719 reported by Tytus Kurek
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MicroStack
Triaged
Medium
Unassigned

Bug Description

On a fresh MicroStack installation performed according to the documentation page:

https://microstack.run/docs/single-node

When I get to the OpenStack dashboards and download the RC file, I face the following issue:

guardian@Guardian-Inspiron:~$ cat ~/Downloads/admin-openrc.sh
#!/usr/bin/env bash
# To use an OpenStack cloud you need to authenticate against the Identity
# service named keystone, which returns a **Token** and **Service Catalog**.
# The catalog contains the endpoints for all services the user/tenant has
# access to - such as Compute, Image Service, Identity, Object Storage, Block
# Storage, and Networking (code-named nova, glance, keystone, swift,
# cinder, and neutron).
#
# *NOTE*: Using the 3 *Identity API* does not necessarily mean any other
# OpenStack API is version 3. For example, your cloud provider may implement
# Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is
# only for the Identity API served through keystone.
export OS_AUTH_URL=https://192.168.1.111:5000/v3/
# With the addition of Keystone we have standardized on the term **project**
# as the entity that owns the resources.
export OS_PROJECT_ID=8b66ef72e1c14f22b62df430186ddb24
export OS_PROJECT_NAME="admin"
export OS_USER_DOMAIN_NAME="Default"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
# unset v2.0 items in case set
unset OS_TENANT_ID
unset OS_TENANT_NAME
# In addition to the owning entity (tenant), OpenStack stores the entity
# performing the action as the **user**.
export OS_USERNAME="admin"
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
# If your configuration has multiple regions, we set that information here.
# OS_REGION_NAME is optional and only valid in certain environments.
export OS_REGION_NAME="microstack"
# Don't leave a blank variable, unset it if it was empty
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3

guardian@Guardian-Inspiron:~$ source ~/Downloads/admin-openrc.sh
Please enter your OpenStack Password for project admin as user admin:

guardian@Guardian-Inspiron:~$ openstack catalog list
Failed to discover available identity versions when contacting https://192.168.1.111:5000/v3/. Attempting to parse version from URL.
SSL exception connecting to https://192.168.1.111:5000/v3/auth/tokens: HTTPSConnectionPool(host='192.168.1.111', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

I also get a certificate verification error when visiting the OpenStack dashboard.

Revision history for this message
Tytus Kurek (tkurek) wrote :
Download full text (5.4 KiB)

Obviously, it works with the "--insecure" switch:

guardian@Guardian-Inspiron:~$ openstack catalog list --insecure
+-----------+-----------+----------------------------------------------------------------------------+
| Name | Type | Endpoints |
 +-----------+-----------+----------------------------------------------------------------------------+
| cinderv3 | volumev3 | microstack |
| | | internal: https://192.168.1.111:8776/v3/8b66ef72e1c14f22b62df430186ddb24 |
| | | microstack |
| | | admin: https://192.168.1.111:8776/v3/8b66ef72e1c14f22b62df430186ddb24 |
| | | microstack |
| | | public: https://192.168.1.111:8776/v3/8b66ef72e1c14f22b62df430186ddb24 |
| | | |
| keystone | identity | microstack |
| | | internal: https://192.168.1.111:5000/v3/ |
| | | microstack |
| | | public: https://192.168.1.111:5000/v3/ |
| | | microstack |
| | | admin: https://192.168.1.111:5000/v3/ |
| | | |
| placement | placement | microstack |
| | | public: https://192.168.1.111:8778 |
| | | microstack |
| | | internal: https://192.168.1.111:8778 |
| | | microstack |
| | | admin: https://192.168.1.111:8778 |
| | | |
| cinderv2 | volumev2 | microstack |
| | | admin: https://192.168.1.111:8776/v2/8b66ef72e1c14f22b62df430186ddb24 |
| | | microstack |
| | | internal: https://192.168.1.111:8776/v2/8b66ef72e1c14f22b62df430186ddb24 |
| | | microstack |
| | | public: https://192.168.1.111:8776/v2/8b66ef72e1c14f22b62df430186ddb24...

Read more...

Revision history for this message
Felipe Pose Velasco (felipe-pose) wrote :

Try adding the following line to you rc file:

```
export OS_CACERT=/var/snap/microstack/common/etc/ssl/certs/cacert.pem
```

Revision history for this message
Tytus Kurek (tkurek) wrote :
Download full text (6.3 KiB)

@Felipe:

Now I'm getting the "Permission denied" error:

guardian@Guardian-Inspiron:~$ openstack catalog list
Failed to discover available identity versions when contacting https://192.168.1.108:5000/v3/. Attempting to parse version from URL.
SSL exception connecting to https://192.168.1.108:5000/v3/auth/tokens: HTTPSConnectionPool(host='192.168.1.108', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(PermissionError(13, 'Permission denied'),))

But I found the following solution working:

guardian@Guardian-Inspiron:~$ sudo cp /var/snap/microstack/common/etc/ssl/certs/cacert.pem /usr/local/share/ca-certificates/microstack.crt
guardian@Guardian-Inspiron:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
guardian@Guardian-Inspiron:~$ openstack catalog list
+-----------+-----------+----------------------------------------------------------------------------+
| Name | Type | Endpoints |
 +-----------+-----------+----------------------------------------------------------------------------+
| placement | placement | microstack |
| | | public: https://192.168.1.108:8778 |
| | | microstack |
| | | admin: https://192.168.1.108:8778 |
| | | microstack |
| | | internal: https://192.168.1.108:8778 |
| | | |
| cinderv2 | volumev2 | microstack |
| | | public: https://192.168.1.108:8776/v2/ea540524df8445eaa0bba48cd8763b52 |
| | | microstack |
| | | internal: https://192.168.1.108:8776/v2/ea540524df8445eaa0bba48cd8763b52 |
| | | microstack |
| | | admin: https://192.168.1.108:8776/v2/ea540524df8445eaa0bba48cd8763b52 |
| | | |
| nova | compute | microstack |
| | | internal: https://192.168.1.108:8774/v2.1 |
| | | microstack |
| | | admin: https://192.168.1.108:8774/v2.1 |
| | | microstack |
| | | publi...

Read more...

Billy Olsen (billy-olsen)
Changed in microstack:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.