trove requests to keystone throwing SSL: CERTIFICATE_VERIFY_FAILED error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
New
|
Undecided
|
Unassigned |
Bug Description
What happened:
Any calls to the UI or trove cli fail (ie trove list, etc)
2023-10-26 10:44:37.959 1010 ERROR trove.common.wsgi keystoneauth1.
Please check that your auth_url is correct. SSL exception connecting to https:/
(Caused by SSLError(
What you expected to happen:
CA should verify SSL
How to reproduce it (minimal and precise):
kolla-ansible -i all-in-one deploy --tags trove
* OS (e.g. from /etc/os-release):
(venv) ansible@
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_
ID=ubuntu
ID_LIKE=debian
HOME_URL="https:/
SUPPORT_URL="https:/
BUG_REPORT_URL="https:/
PRIVACY_
UBUNTU_
* Kernel (e.g. `uname -a`):
Linux dev-os-01 5.15.0-86-generic #96-Ubuntu SMP Wed Sep 20 08:23:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
* Docker version if applicable (e.g. `docker version`):
docker version
Client: Docker Engine - Community
Version: 24.0.6
API version: 1.43
Go version: go1.20.7
Git commit: ed223bc
Built: Mon Sep 4 12:31:44 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.6
API version: 1.43 (minimum version 1.12)
Go version: go1.20.7
Git commit: 1a79695
Built: Mon Sep 4 12:31:44 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.24
GitCommit: 61f9fd88f79f081
runc:
Version: 1.1.9
GitCommit: v1.1.9-0-gccaecfc
docker-init:
Version: 0.19.0
GitCommit: de40ad0
* Kolla-Ansible version (e.g. `git head or tag or stable branch` or pip package version if using release):
kolla-ansible installed like so:
pip install git+https:/
* Docker image Install type (source/binary):
binary
* Docker image distribution:
ubuntu
* Are you using official images from Docker Hub or self built?
Docker Hub
* Share your inventory file, globals.yml and other configuration files if relevant
all-in-one (unmodified)
I'm using a self signed cert created with: kolla-ansible -i all-in-one certificates
grep -v '^#' /etc/kolla/
workaround_
kolla_base_distro: "ubuntu"
network_interface: "enp65s0f0.100"
neutron_
enable_
neutron_
kolla_internal_
keepalived_
enable_cinder: "yes"
enable_
openstack_cacert: "/etc/ssl/
kolla_enable_
kolla_enable_
kolla_admin_
kolla_copy_
kolla_verify_
kolla_enable_
horizon_
enable_barbican: "yes"
enable_swift: "yes"
enable_swift_s3api: "yes"
enable_octavia: "yes"
octavia_
octavia_
name: lb-mgmt-net
provider_
provider_
provider_
external: false
shared: false
subnet:
name: lb-mgmt-subnet
cidr: "10.1.92.0/24"
allocation_
allocation_
gateway_ip: "10.1.92.1"
enable_dhcp: yes
enable_gnocchi: "yes"
enable_cloudkitty: "yes"
cloudkitty_
cloudkitty_
gnocchi_
enable_magnum: "yes"
enable_
enable_redis: "yes"
enable_designate: "yes"
designate_
enable_trove: "yes"
trove_logging_
/etc/kolla/
[keystone_
service_type = database
www_authenticat
project_domain_name = Default
project_name = service
user_domain_name = Default
username = trove
password = _removed_
auth_url = https:/
auth_type = password
cafile = /etc/ssl/
region_name = RegionOne
I have verified the certs are in the container and are correct
docker exec -it trove_api bash
(trove-
issuer=CN = KollaTestCA
(trove-
subject=CN = KollaTestCA
Also verified with python from inside the trove_api container
(trove-
Python 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https:/
Traceback (most recent call last):
File "/var/lib/
httplib_
File "/var/lib/
self.
File "/var/lib/
conn.connect()
File "/var/lib/
self.sock = ssl_wrap_socket(
File "/var/lib/
ssl_sock = _ssl_wrap_
File "/var/lib/
return ssl_context.
File "/usr/lib/
return self.sslsocket_
File "/usr/lib/
self.
File "/usr/lib/
self.
ssl.SSLCertVeri
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/
resp = conn.urlopen(
File "/var/lib/
retries = retries.increment(
File "/var/lib/
raise MaxRetryError(
urllib3.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/var/lib/
return request("get", url, params=params, **kwargs)
File "/var/lib/
return session.
File "/var/lib/
resp = self.send(prep, **send_kwargs)
File "/var/lib/
r = adapter.
File "/var/lib/
raise SSLError(e, request=request)
requests.
>>>
>>> r = requests.get('https:/
/var/lib/
warnings.warn(
>>> r = requests.get('https:/
>>> r.text
'{"versions": {"values": [{"id": "v3.14", "status": "stable", "updated": "2020-04-
>>> r = requests.get('https:/
>>> r.text
'{"versions": {"values": [{"id": "v3.14", "status": "stable", "updated": "2020-04-
>>>
If I stomp on the certifi/cacert.pem both python requests & the trove_api will start working
Obviously not a solution, just a fact.
cp -p /var/lib/
cp /etc/ssl/
(trove-
Python 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https:/
>>> r.text
'{"versions": {"values": [{"id": "v3.14", "status": "stable", "updated": "2020-04-
>>>
Same ssl error happens with taskmanager
2023-10-26 16:46:00.673 7 ERROR oslo_messaging.