python-keystoneclient SSL CA certificate validation

Bug #1012591 reported by Jose Castro Leon on 2012-06-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sascha Peilicke

Bug Description

Following the commit by Adam Young, we discover that python-keystoneclient tries to validate the CA chain

So in case that the CA certificate is not bundled with the distribution, it refuses to do any operation due to the invalid certificate chain.

This could be solved by specifying an extra parameter with the CA chain in python-keystoneclient and pass it to httplib2 component.

This also affects horizon when using keystone api to check the user during login.

summary: - python-keystoneclient SSLCA certificate validation
+ python-keystoneclient SSL CA certificate validation
Alan Pevec (apevec) on 2012-06-13
tags: added: python-keystoneclient
removed: keystone
Joseph Heck (heckj) on 2012-06-24
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Thierry Carrez (ttx) on 2012-07-04
affects: keystone → python-keystoneclient
Adam Young (ayoung) on 2012-07-17
Changed in python-keystoneclient:
assignee: nobody → Adam Young (ayoung)

you can also disable CA validation by

--- keystoneclient/ 2012-07-17 18:02:33.910494211 +0200
+++ keystoneclient/ 2012-07-17 18:02:22.525503421 +0200
@@ -55,6 +55,7 @@

         # httplib2 overrides
         self.force_exception_to_status_code = True
+ self.disable_ssl_certificate_validation = True

     def authenticate(self):
         """ Authenticate against the keystone API.

Liem Nguyen (liemmn) on 2012-07-17
Changed in python-keystoneclient:
assignee: Adam Young (ayoung) → Liem Nguyen (liemmn)

Fix proposed to branch: master

Changed in python-keystoneclient:
status: Triaged → In Progress
Sascha Peilicke (saschpe) wrote :

Not validating SSL certificates is definitely not a solution. Then you can as well remove the whole SSL code, if it doesn't check anything. Furthermore, it is actually correct to rely on the certificate store provided by the distribution as it is reviewed by dedicatated security teams (speaking for openSUSE / SLES here but I'm sure thats no different for Ubuntu and RHEL / Fedora) that review and maintain the cert store.

Consider your customer, if you would ship a cert store and a cert gets revoked, you would have to submit a patch to github (to fix the issue for everyone) and then provide that somehow to the customer. OpenStack should only ship example certs so that you can test. But this is nothing you would want to use in production.

Changed in python-keystoneclient:
assignee: Liem Nguyen (liemmn) → Sascha Peilicke (saschpe)

I understand your point of view, but this was described as a temporary solution to disable the validation of the CA certificate on the client side to enable SSL while a better solution is proposed.

My request was a parameter on the client side to summit our certificate chain, this parameter is only used in case that you have your own certification authority and it does nothing to the community.

Sascha Peilicke (saschpe) wrote :

That sounds reasonable, maybe I forgot to clarify that I disregarded the current solution by Liem. I think it still makes sense to add the parameters you proposed. On the other hand, I prefer instead of the 'temporary' solution to the error message ;-)

Submitter: Jenkins
Branch: master

commit dec8f77c9233f195999b8db9adbd4f026834fd42
Author: Sascha Peilicke <email address hidden>
Date: Mon Jul 9 17:07:41 2012 +0200

    Add '--insecure' commandline argument

    Allows to ignore validation errors that typically occur with self-signed
    SSL certificates. Making this explicit is important as one would
    typically only use this in development or in-house deployments.

    This should also fix bug 1012591.

    Change-Id: I1210fafc9257648c902176fbcfae9d47e47fc557

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers