openstack provider should have config option to ignore invalid certs

<rogpeppe> you can configure the http stack to always ignore invalid certs, or ignore them for just a single request
<rogpeppe> for the former, you can set http.DefaultClient.Transport to &http.Transport{TLSClientConfig: tls.Config{InsecureSkipVerify: true, (maybe more here)}}
<rogpeppe> for the latter, you can create a new http.Client and call Do (or Get or whatever) on that

Are these valid self-signed certs, or just completely invalid certificates?

Self-signed by our openstack charms, but getting those ca certs in place for all the users of the cloud is a non trivial for usage. i think this is a higher priority as its going to effect our openstack deployments, which typically set the following pyjuju flag on the openstack env to combat this.
    ssl-hostname-verification: false

This bug is preventing me from using juju-core for our deployments.

Raising priority at the request of jpds who hit it during a customer deployment.

If this is a customer facing issue that works in pyjuju but not in core, we should resolve it as quickly as possible. Otherwise we are forcing users to choose between old unsupported juju, and does not yet work for me juju, which is definitely not a good thing.

So, what we probably want here is to resurrect the ssl-hostname-verification environments.yaml config key, but now defaulted to "true" everywhere. Perhaps we only want to support setting it to false for Openstack even. When it's manually set to false, we should use InsecureSkipVerify for all http communication with cloud api endpoints:

<http://stackoverflow.com/questions/12122159/golang-how-to-do-a-https-request-with-bad-certificate>

The tricky part, is it's not just the state server that will be talking to object-store, as all machines will want to get tools and such like from there. So, the config will need to get propogated, and read, before tools are downloaded or anything else is fetched from swift containers.

so to be clear, the specific hard part is that while we can easily configure and pass around "ssl-hostname-verification: false" to Goose code, we will *also* likely need to be passing that all the way down to the "wget https://.../juju-1.13.2-precise-amd64.tar.gz" call.

The related branch allows insecure requests, but I haven't quite gotten everything wired up. The goose.Client code seems wired up reasonably well, but identity.Authorizer objects actually have their own goose/http.Client connections.

I think the necessary changes to goose have already landed.

Initial steps have landed, remaining steps split into bug #1234577 and bug #1234576