OpenStack Heat

heatclient won't regard ssl options

Bug #1702645 reported by Ethan Lynn on 2017-07-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	In Progress	Medium	Zane Bitter	OpenStack Heat rocky-2

Bug Description

Even though I set insecure = True in [clients_heat] I still fail to create a OS::Heat::Stack on other region with HTTPS.

DEBUG (session) POST call to orchestration for http://192.168.111.160:8004/v1/615e4d873cee47139139bff5cb0e1213/stacks used request id req-d1b8bd88-b69a-4f94-b561-8f6812187f70
Traceback (most recent call last):
  File "/usr/bin/heat", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 608, in main
    HeatShell().main(args)
  File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 558, in main
    args.func(client, args)
  File "/usr/lib/python2.7/dist-packages/heatclient/v1/shell.py", line 139, in do_stack_create
    hc.stacks.create(**fields)
  File "/usr/lib/python2.7/dist-packages/heatclient/v1/stacks.py", line 172, in create
    data=kwargs, headers=headers)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 223, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 318, in request
    raise exc.from_response(resp)
heatclient.exc.HTTPBadRequest: ERROR: Failed validating stack template using Heat endpoint at region "nova" due to "SSL exception connecting to https://192.168.112.160:8004/v1/615e4d873cee47139139bff5cb0e1213
/validate: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)"

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-06: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/480923

Changed in heat:
assignee:	nobody → Ethan Lynn (ethanlynn)
status:	New → In Progress

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-07-06:

So your keystone does not use ssl, but remote heat does or the certificates are different??

However, currently the same keystone ssl options would be used[1], which may not be the right assumption I suppose.

[1] https://github.com/openstack/heat/blob/master/heat/common/context.py#L114

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2017-07-07:

Yes, I use internalURL in [clients_keystone] and set publicURL in [clients_heat], our internalURL is http, publicURL is https. This will cause error when I create a OS::Heat::Stack resource.

Rico Lin (rico-lin) on 2017-09-28

Changed in heat:
importance:	Undecided → Low
milestone:	none → queens-1
importance:	Low → Medium

Rico Lin (rico-lin) on 2017-10-25

Changed in heat:
milestone:	queens-1 → queens-2

Rico Lin (rico-lin) on 2017-12-06

Changed in heat:
milestone:	queens-2 → queens-3

Rico Lin (rico-lin) on 2018-01-29

Changed in heat:
milestone:	queens-3 → queens-rc1

Rico Lin (rico-lin) on 2018-02-09

Changed in heat:
milestone:	queens-rc1 → rocky-1

OpenStack Infra (hudson-openstack) on 2018-03-13

Changed in heat:
assignee:	Ethan Lynn (ethanlynn) → Zane Bitter (zaneb)

Rico Lin (rico-lin) on 2018-04-20

Changed in heat:
milestone:	rocky-1 → rocky-2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.