keystoneclient appears to ignore --os-cacert option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Invalid
|
Undecided
|
Jamie Lennox |
Bug Description
I expected to be able to enable the keystone service for HTTPS access and then specify the CA cert on the client side. However keystoneclient seems not to take the --os-cacert into account as expected.
Steps to reproduce:
# create keystone certs
$ keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone
$ chown keystone:keystone /etc/keystone/
# in /etc/keystone/
[ssl]
enable = True
certfile = /etc/keystone/
keyfile = /etc/keystone/
ca_certs = /etc/keystone/
ca_key = /etc/keystone/
# re-create identity service endpoint with https URLs:
$ KEYSTONE_
$ KS_IP=keystone_
$ keystone endpoint-create --region RegionOne --service-
# delete old keystone endpoint
$ keystone --insecure endpoint-delete OLD_KEYSTONE_
# restart keystone
$ sudo service openstack-keystone restart # or equivalent on Ubuntu
# run keystone client insecurely (i.e. just confidentiality on the wire):
$ keystone --insecure endpoint-list | awk '/35357/ {print $10}'
https:/
# attempt to specify the CA cert so that we the service-side cert can be verified, fails:
$ keystone --debug --os-cacert /etc/keystone/
DEBUG:keystonec
INFO:urllib3.
Authorization Failed: SSL exception connecting to https:/
# use the equivalent -k option to curl, and it works:
$ curl -k /etc/keystone/
curl: (3) <url> malformed
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 8988
Date: Thu, 13 Mar 2014 23:20:35 GMT
{"access": {"token": {"issued_at": "2014-03-
Is my understanding of --os-cacert option correct?
If not, how is the equivalent behavior enabled?
Changed in python-keystoneclient: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in python-keystoneclient: | |
status: | New → Incomplete |
Changed in python-keystoneclient: | |
status: | Incomplete → Invalid |
So i've tried this setup with both installing certificates manually and with ssl_setup and the behaviour of --insecure/ --os-cacert works for me with both.
The curl command appears to be going to the correct endpoints which is always my first guess. Don't worry about the fact the curl statement is missing the certificate files - that is a debugging statement only.
In curl -k is --insecure, i'm not sure if that's a mistake in the bug report or your curl command is also doing an insecure connection. That would help explain it if it's not.
Other things to check when setting up ssl, you should set:
[ssl] /C=US/ST= Unset/L= Unset/O= Unset/CN= 172.16. 12.49
cert_subject=
if you are going to use ssl_setup so that the hostname is correct.