OpenStack Heat

SSL certification verification failed when Heat calls Glanceclient with ca cert

Bug #1384626 reported by zhu zhu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
zhu zhu
OpenStack Heat 2015.1.0 "kilo"
Juno
Fix Released
High
Unassigned
OpenStack Heat 2014.2.1

Bug Description

Glance server is configured Https.

Configured Heat with heat.conf
[clients_glance]
ca_file=<ca file path>
insecure=<false>

When trying to create stack, heat will raise exception during heat to load image data.
[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The root cause is that: ca_file as below is a wrong argument to initialize the glance client, it should be cacert which is supported arguments by glanceclient.

class GlanceClientPlugin(client_plugin.ClientPlugin):

    exceptions_module = exc

    def _create(self):

        con = self.context
        endpoint_type = self._get_client_option('glance', 'endpoint_type')
        endpoint = self.url_for(service_type='image',
                                endpoint_type=endpoint_type)
        args = {
            'auth_url': con.auth_url,
            'service_type': 'image',
            'project_id': con.tenant,
            'token': self.auth_token,
            'endpoint_type': endpoint_type,
            'ca_file': self._get_client_option('glance', 'ca_file'),
            'cert_file': self._get_client_option('glance', 'cert_file'),
            'key_file': self._get_client_option('glance', 'key_file'),
            'insecure': self._get_client_option('glance', 'insecure')

zhu zhu (zhuzhubj)
tags: added: security
zhu zhu (zhuzhubj)
summary: - SSL certification verification failed when Heat calls Glanceclient using
- insecure=False
+ SSL certification verification failed when Heat calls Glanceclient with
+ ca cert
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/130512

Changed in heat:
assignee: nobody → zhu zhu (zhuzhubj)
status: New → In Progress
Steve Baker (steve-stevebaker)
tags: added: juno-backport-potential
Steve Baker (steve-stevebaker)
Changed in heat:
importance: Undecided → High
milestone: none → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/130512
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=fa7fd9d9882baf028efe0807840a4a8180cc9b9c
Submitter: Jenkins
Branch: master

commit fa7fd9d9882baf028efe0807840a4a8180cc9b9c
Author: ZHU ZHU <email address hidden>
Date: Thu Oct 23 06:45:38 2014 -0500

    Correct CA cert argument for glanceclient

    Heat need to pass the CA cert to glanceclient to load image data
    during stack creation when glance api is configured with SSL.
    Currently the client is passing the wrong cert key to glanceclient.
    The key should be 'cacert' instead of 'ca_file'.

    Change-Id: Ie542dda1354776e62507240c917c1cffbc222f17
    Closes-Bug: #1384626

Changed in heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/130668

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/juno)

Reviewed: https://review.openstack.org/130668
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=840ceddd873ad23cb9fdf171f2ea6574738ac8d3
Submitter: Jenkins
Branch: stable/juno

commit 840ceddd873ad23cb9fdf171f2ea6574738ac8d3
Author: ZHU ZHU <email address hidden>
Date: Thu Oct 23 06:45:38 2014 -0500

    Correct CA cert argument for glanceclient

    Heat need to pass the CA cert to glanceclient to load image data
    during stack creation when glance api is configured with SSL.
    Currently the client is passing the wrong cert key to glanceclient.
    The key should be 'cacert' instead of 'ca_file'.

    Change-Id: Ie542dda1354776e62507240c917c1cffbc222f17
    Closes-Bug: #1384626
    (cherry picked from commit fa7fd9d9882baf028efe0807840a4a8180cc9b9c)

Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: kilo-1 → 2015.1.0
Zane Bitter (zaneb)
tags: added: in-stable-juno
removed: juno-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.