[SRU] keystoneclient fails on SSL certificates that work for other services
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Fix Released
|
Critical
|
Sam Morrison | ||
python-keystoneclient (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Quantal |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[IMPACT]
Crticial. Enabling SSL for services in the Keystone catalog does not function with certain types of certificates, eg wild card certificates.
[TESTCASE]
Put services in the keystone catalog behind a service that termintaes SSL with wild card certificates, and the client will receive SSL errors.
[Regression Potential]
Minimal. The one-line patch simply fixes the argument handling of the Keystone client to ensure SSL connection work correctly in all cases.
Hi guys,
I've successfully deployed and tested keystone and wanted to stick some SSL in front of it. I used the nginx puppet module provided here https:/
I've updated all my endpoints to be https:// and also updated my "auth.rc" file for the same.
When I run "keystone user-list" I get the following error
Unable to communicate with identity service: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:
When I run "keystone --insecure user-list" I get the correct output, so I know the SSL is working ok and I'm affected by a verification issue.
Same when using keystone-init:
# ./keystone-init.py config.yaml
No handlers could be found for logger "keystoneclient
Traceback (most recent call last):
File "./keystone-
configure_
File "./keystone-
default_tenant = create_
File "./keystone-
enabled=True)
File "/usr/lib/
return self._create(
File "/usr/lib/
resp, body = self.api.post(url, body=body)
File "/usr/lib/
return self._cs_
File "/usr/lib/
**kwargs)
File "/usr/lib/
raise exceptions.
keystoneclient.
...and if I modify keystone-init.py to add insecure=True to the client call, it works fine.
However this is where I'm stumped, as the certificate I'm using is a wildcard *.example.com style certificate, and it works on all the other services (email, apache, etc) which deploy it for.
I also note that if I point my browser to https:/
I'd really like a better understanding of why the keystoneclient thinks my cert isn't verified when Firefox is fine with it. As far as I can see, the GoDaddy certs are present in both /etc/ssl/certs as well as in the cacerts.txt file of python-httplib2 and I added our private key into /etc/ssl/private. So it would be unlikely that we are missing an intermediate certificate. Using --insecure is all well and good for the CLI, but what about the keystone stuff in swift, nova and and glance? Will I have to specify insecure everywhere and ask our clients to use --insecure?
Would really appreciate some help around this issue as it's a major roadblock to moving forward.
Related branches
- Dave Walker (community): Approve
- Diff: 0 lines
tags: | added: cloud-archive |
affects: | keystone (Ubuntu) → python-keystoneclient (Ubuntu) |
Changed in python-keystoneclient (Ubuntu): | |
status: | Invalid → Confirmed |
tags: | added: canonistack |
tags: | added: cloud-archive |
summary: |
- keystoneclient fails on SSL certificates that work for other services + [SRU] keystoneclient fails on SSL certificates that work for other + services |
description: | updated |
Changed in python-keystoneclient (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in python-keystoneclient (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in python-keystoneclient: | |
importance: | Undecided → Critical |
Changed in python-keystoneclient (Ubuntu): | |
importance: | Undecided → Critical |
Changed in python-keystoneclient (Ubuntu Quantal): | |
importance: | Undecided → Critical |
Changed in python-keystoneclient: | |
milestone: | none → 0.2.0 |
status: | Fix Committed → Fix Released |
Screenshot showing side-by-side firefox and keystoneclient, one can verify the other can't.
Running on Ubuntu 12.04 LTS with the Ubuntu Cloud-Archive Folsom repo in use.