[IMPACT]
Crticial. Enabling SSL for services in the Keystone catalog does not function with certain types of certificates, eg wild card certificates.
[TESTCASE]
Put services in the keystone catalog behind a service that termintaes SSL with wild card certificates, and the client will receive SSL errors.
[Regression Potential]
Minimal. The one-line patch simply fixes the argument handling of the Keystone client to ensure SSL connection work correctly in all cases.
Hi guys,
I've successfully deployed and tested keystone and wanted to stick some SSL in front of it. I used the nginx puppet module provided here https://github.com/NeCTAR-RC/puppet-nginx and seemed to successfully deploy the module.
I've updated all my endpoints to be https:// and also updated my "auth.rc" file for the same.
When I run "keystone user-list" I get the following error
Unable to communicate with identity service: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib. (HTTP 400)
When I run "keystone --insecure user-list" I get the correct output, so I know the SSL is working ok and I'm affected by a verification issue.
Same when using keystone-init:
# ./keystone-init.py config.yaml
No handlers could be found for logger "keystoneclient.client"
Traceback (most recent call last):
File "./keystone-init.py", line 97, in <module>
configure_keystone(config)
File "./keystone-init.py", line 28, in configure_keystone
default_tenant = create_default_tenant(keystone, config)
File "./keystone-init.py", line 43, in create_default_tenant
enabled=True)
File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/tenants.py", line 83, in create
return self._create('/tenants', params, "tenant")
File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 82, in _create
resp, body = self.api.post(url, body=body)
File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 174, in post
return self._cs_request(url, 'POST', **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 155, in _cs_request
**kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/client.py", line 135, in request
raise exceptions.from_response(resp, body)
keystoneclient.exceptions.BadRequest: Unable to communicate with identity service: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. (HTTP 400)
...and if I modify keystone-init.py to add insecure=True to the client call, it works fine.
However this is where I'm stumped, as the certificate I'm using is a wildcard *.example.com style certificate, and it works on all the other services (email, apache, etc) which deploy it for.
I also note that if I point my browser to https://keystone-int.example.com:5000 that my Mozilla claims the certificate is correctly verified by our provider (GoDaddy).
I'd really like a better understanding of why the keystoneclient thinks my cert isn't verified when Firefox is fine with it. As far as I can see, the GoDaddy certs are present in both /etc/ssl/certs as well as in the cacerts.txt file of python-httplib2 and I added our private key into /etc/ssl/private. So it would be unlikely that we are missing an intermediate certificate. Using --insecure is all well and good for the CLI, but what about the keystone stuff in swift, nova and and glance? Will I have to specify insecure everywhere and ask our clients to use --insecure?
Would really appreciate some help around this issue as it's a major roadblock to moving forward.
Screenshot showing side-by-side firefox and keystoneclient, one can verify the other can't.
Running on Ubuntu 12.04 LTS with the Ubuntu Cloud-Archive Folsom repo in use.