python-cinderclient

Debian/Ubuntu system wide CA certificate file doesn't seem to be used

Bug #1301890 reported by Stuart McLaren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cinderclient
Invalid
Medium
Duncan Thomas

Bug Description

If you create a CA certificate and add it to the default locations by copying it to /usr/local/share/ca-certificates/ and running 'update-ca-certificates' it should be picked up by anything using openssl.

For example curl:

1) before running update-ca-certificates:

 $ curl https://192.0.2.254:13776
 curl: (60) SSL certificate problem: unable to get local issuer certificate
 More details here: http://curl.haxx.se/docs/sslcerts.html

2) after running update-ca-certificates:

$ curl https://192.0.2.254:13776
{"versions": [{"status": "CURRENT", "updated": "2012-01-04T11:33:21Z", "id": "v1.0", "links": [{"href": "http://192.0.2.254:13776/v1/", "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://192.0.2.254:13776/v2/", "rel": "self"}]}]}

although pointing directly to the CA file does work:

 $ cinder --os-cacert /etc/ssl/from-heat-ca.crt list
 +----+--------+--------------+------+-------------+----------+-------------+
 | ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
 +----+--------+--------------+------+-------------+----------+-------------+
 +----+--------+--------------+------+-------------+----------+-------------+

after update-ca-certificates has been run the CA cert is not picked up automatically from the system-wide location:

 $ cinder list
 ERROR: Unable to establish connection: [Errno 1] _ssl.c:509: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

FWIW this works with the glance client, but not other clients.

Duncan Thomas (duncan-thomas)
Changed in python-cinderclient:
status: New → Confirmed
assignee: nobody → Duncan Thomas (duncan-thomas)
importance: Undecided → Medium
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

some of the clients seem to do a brute force search if nothing is supplied:

def get_system_ca_file():
    """Return path to system default CA file."""
    # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
    # Suse, FreeBSD/OpenBSD, MacOSX, and the bundled ca
    ca_path = ['/etc/ssl/certs/ca-certificates.crt',
               '/etc/pki/tls/certs/ca-bundle.crt',
               '/etc/ssl/ca-bundle.pem',
               '/etc/ssl/cert.pem',
               '/System/Library/OpenSSL/certs/cacert.pem',
               requests.certs.where()]
    for ca in ca_path:
        LOG.debug("Looking for ca file %s", ca)
        if os.path.exists(ca):
            LOG.debug("Using ca file %s", ca)
            return ca
    LOG.warn("System ca file could not be found.")

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

The glance client loads the default OS path using:

self.context.set_default_verify_paths()

I think this is only possible because its not (yet?) using requests.

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote : Bug Cleanup

Closing stale bug. If this is still an issue please reopen.

Changed in python-cinderclient:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.