OS_TARGET_CACERT or --os-target_cacert both not work, still report CERTIFICATE_VERIFY_FAILED

Bug #1782076 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mistral
Fix Released
Medium
Andras Kovi

Bug Description

Mistral release: 7.0.0.0b2

Workflow test.yaml:

version: '2.0'
create_vm:
  description: Simple workflow example
  type: direct
  tasks:
    get_servers:
      action: nova.servers_list
      publish:
        servers: <% task(get_servers).result %>

Openstack RC info:
export MISTRAL_URL="http://localhost:8989/v2"
export OS_TARGET_AUTH_URL=https://.../v3
export OS_TARGET_USERNAME=...
export OS_TARGET_PROJECT_NAME=...
export OS_TARGET_PASSWORD=...
export OS_TARGET_CACERT=/tmp/openstack.crt
export OS_TARGET_REGION_NAME=RegionOne
export OS_TARGET_USER_DOMAIN_NAME=Default
export OS_TARGET_PROJECT_DOMAIN_NAME=Default

Commands:
mistral workflow-create test.yaml
mistral execution-create create_vm

Result:
get_servers [task_ex_id=0df26820-6f6b-40b5-920b-0fcb995944df] -> Failed to run action [action_ex_id=a4c2e708-0701-49b5-a023-6c8330c1f773, action_cls='<class 'mistral.actions.action_factory.NovaAction'>', attributes='{u'client_method_name': u'servers.list'}', params='{}']
NovaAction.servers.list failed: Authorization failed: SSL exception connecting to https://.../v3/auth/tokens: HTTPSConnectionPool(host='...', port=...): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

Also I tries msitral --os-target_cacert /tmp/openstack.crt execution-create create_vm, still the same error.

This cacert file works when I directly uses openstack command like "nova list".

Tags: docs 7.0.0.0b2
Revision history for this message
Andy (785113507-6) wrote :

Also I tried to set mistral.conf:
[keystone_authtoken]
cafile = /tmp/openstack.crt
auth_uri = https://.../v3

And in client to set OpenStack RC info:
Openstack RC info:
export MISTRAL_URL="http://localhost:8989/v2"
export OS_AUTH_URL=https://.../v3
export OS_USERNAME=...
export OS_PROJECT_NAME=...
export OS_PASSWORD=...
export OS_CACERT=/tmp/openstack.crt
export OS_REGION_NAME=RegionOne
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default

But it still report the same error. And the traceback is:
2018-07-20 03:06:39.509 766 WARNING mistral.actions.openstack.base [req-1a06d85f-32ea-4e89-b8ef-7a59d855021a - - - - -] Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 115, in run
    method = self._get_client_method(self._get_client(context))
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 84, in _get_client
    return self._create_client(context)
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/actions.py", line 89, in _create_client
    nova_endpoint = self.get_service_endpoint()
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 108, in get_service_endpoint
    region_name=self.action_region
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 161, in get_endpoint_for_project
    service_catalog = obtain_service_catalog(ctx)
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 239, in obtain_service_catalog
    response = client().tokens.get_token_data(
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 44, in client
    auth_url=auth_url
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 263, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 578, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 349, in get_raw_token_from_identity_service
    _('Authorization failed: %s') % e)
AuthorizationFailure: Authorization failed: SSL exception connecting to https://.../v3/auth/tokens: HTTPSConnectionPool(host='...', port=...): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

Andras Kovi (akovi)
Changed in mistral:
assignee: nobody → Andras Kovi (akovi)
status: New → Confirmed
Revision history for this message
Andras Kovi (akovi) wrote :

OS_TARGET_CACERT is a client side option. The cacert file is not transmitted to the Mistral server. It is the responsibility of the user to make sure that the Mistral Executor can communicate with the target cloud. That is, it must be able to open SSL connections to the target. This is a similar limitation to what is present for the std.ssh [1] action.

The documentation will be improved to describe these limitations for OS_TARGET_CACERT.

[1] https://docs.openstack.org/mistral/latest/user/wf_lang_v2.html#std-ssh

Dougal Matthews (d0ugal)
tags: added: docs
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-mistralclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/584759

Changed in mistral:
status: Confirmed → In Progress
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: none → rocky-3
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-mistralclient (master)

Reviewed: https://review.openstack.org/584759
Committed: https://git.openstack.org/cgit/openstack/python-mistralclient/commit/?id=9f197f3d770de3743646e4276e30bec489c424f5
Submitter: Zuul
Branch: master

commit 9f197f3d770de3743646e4276e30bec489c424f5
Author: Andras Kovi <email address hidden>
Date: Mon Jul 23 10:11:08 2018 +0200

    Clarify details about the target cacert parameter

    Change-Id: Ib913eb035c176026ef24a31f3f36926183285318
    Closes-Bug: #1782076

Changed in mistral:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-mistralclient 3.7.0

This issue was fixed in the openstack/python-mistralclient 3.7.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.