python-heatclient

heat client doesn't support OS_CACERT

Bug #1308087 reported by Rob Crittenden on 2014-04-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	python-heatclient	Fix Released	High	Rob Crittenden	python-heatclient v0.2.10

Bug Description

(Most) OpenStack clients use the --os-cacert to pass in the location of the CA certificate bundle for the SSL-secured server endpoint. The Heat client is missing this option which can cause problems communicating with SSL-secured services.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-15: Fix proposed to python-heatclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/87664

Changed in python-heatclient:
assignee:	nobody → Rob Crittenden (rcritten)
status:	New → In Progress

Steve Baker (steve-stevebaker) on 2014-04-15

Changed in python-heatclient:
importance:	Undecided → High
milestone:	none → v0.2.10

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-29: Fix merged to python-heatclient (master)

Reviewed: https://review.openstack.org/87664
Committed: https://git.openstack.org/cgit/openstack/python-heatclient/commit/?id=d32cdc0edc65214e2789633fd1ec82f9d627e60d
Submitter: Jenkins
Branch: master

commit d32cdc0edc65214e2789633fd1ec82f9d627e60d
Author: Rob Crittenden <email address hidden>
Date: Mon Apr 14 18:51:56 2014 -0400

Heat client does not support OS_CACERT option

    This option is standard in OpenStack clients to pass in the
    location of any extra CA certificate bundle needed to
    negotiate an SSL connection with SSL-secured services.

Change-Id: If675b36bf6bbd1df216277129b147c32555de0d0
Closes-Bug: 1308087

Changed in python-heatclient:
status:	In Progress → Fix Committed

Steve Baker (steve-stevebaker) on 2014-09-18

Changed in python-heatclient:
status:	Fix Committed → Fix Released

Revision history for this message

Yang Zhang (bjzyang) wrote on 2014-11-15:

I am using python-heatclient v0.2.10 but it seems the issue was not resolved, OS_CACERT in environment variable or --os-cacert in CLI command option are both unsupported by heat client.

Only CURL_CA_BUNDLE in environment variable or --ca-file in CLI command option will work:

# heat --version
0.2.10

# env |grep OS_CACERT
OS_CACERT=/etc/ssl/certs/ca-certificates.crt

# heat stack-list
[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# heat --os-cacert=/etc/ssl/certs/ca-certificates.crt stack-list
[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# heat --ca-file=/etc/ssl/certs/ca-certificates.crt stack-list
+----+------------+--------------+---------------+
| id | stack_name | stack_status | creation_time |
+----+------------+--------------+---------------+
+----+------------+--------------+---------------+

# export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# heat stack-list
+----+------------+--------------+---------------+
| id | stack_name | stack_status | creation_time |
+----+------------+--------------+---------------+
+----+------------+--------------+---------------+

Revision history for this message

Rob Crittenden (rcritten) wrote on 2014-11-17:

The patch wasn't merged until 9/18 so it is in v0.2.11+ AFAICT.

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2014-11-17:

Rob, your fix was merged on April 29 and included in 0.2.10 which was released on June 27.

Was there a later fix in addition to this? Or is this bug not fixed yet?

Revision history for this message

Rob Crittenden (rcritten) wrote on 2014-11-17:

No, I just can't read :-( I misread the bug listing of fix released as fix pushed.

Then right, this should be in 0.2.10. It is working with the current master.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.