Certificate file passed via --os-cacert ignored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-barbicanclient |
New
|
Undecided
|
Unassigned |
Bug Description
I have a Barbican install using Apache for mod_wsgi to serve the API service and for SSL termination. I'm using a self signed certificate and key and have the certificate authority file on both the client and the server. When I query the API the client returns:
SSL exception connecting to https:/
Traceback (most recent call last):
File "/usr/lib/
result = cmd.run(
File "/usr/lib/
column_names, data = self.take_
File "/usr/lib/
args.
File "/usr/lib/
response = self._api.
File "/usr/lib/
return super(_HTTPClient, self).get(*args, **kwargs).json()
File "/usr/lib/
return self.request(url, 'GET', **kwargs)
File "/usr/lib/
resp = super(_HTTPClient, self).request(
File "/usr/lib/
return self.session.
File "/usr/lib/
return func(*args, **kwargs)
File "/usr/lib/
resp = send(**kwargs)
File "/usr/lib/
raise exceptions.
SSLError: SSL exception connecting to https:/
I have looked into this and for some reason the Barbican client appears to not be passing the local CA file to the keystone middleware. I added a small piece of debug to _send_request in keystoneclient/
verify = /home/ubuntu/
But for Barbican I see:
verify = True
If I edit _send_request and override 'verify' in kwargs to point at the local CA file then Barbican works again. The barbican client also works if I specify '--insecure'.
I'm seeing the issue with barbican 4.0.1.
$ barbican --version
barbican 4.0.1
$ barbican --os-cacert /home/ubuntu/ cert.pem secret list /10.5.15. 73:9311 for discovery. Fallback to using that endpoint as the base url. /10.5.15. 73:9311/ secrets: [Errno 1] _ssl.c:510: error:14090086:SSL routines: SSL3_GET_ SERVER_ CERTIFICATE: certificate verify failed
Starting new HTTP connection (1): 10.5.15.67
Starting new HTTPS connection (1): 10.5.15.73
Failed to contact the endpoint at https:/
Starting new HTTPS connection (2): 10.5.15.73
SSL exception connecting to https:/
However, pip installing the openstack client and python-barbican client result a working client:
sudo apt-get install python-dev python-pip openstackclient barbicanclient
sudo pip install python-
sudo pip install python-
openstack --os-cacert /home/ubuntu/ cert.pem secret list
$ sudo pip freeze | grep -E 'barbi| keystone| openstack' =2.9.0 barbicanclient= =4.0.1 keystoneclient= =3.2.0 openstackclient ==2.6.0
keystoneauth1=
openstacksdk==0.9.0
python-
python-
python-