Comment 2 for bug 1292202

Adding my own experience here, which sounds very similar, using Icehouse. Here's my keystone invocation:

keystone --os-cacert /etc/grid-security/certificates/UKeScienceCA-2B.pem --debug endpoint-list

and here's the debugging output:

DEBUG:keystoneclient.session:REQ: curl -i -X POST https://<hostname>:35357/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "<password>"}}}'
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): <hostname>
Authorization Failed: SSL exception connecting to https://<hostname>:35357/v2.0/tokens

which looks to me as though the curl command generated doesn't specify the CA certificate.

If I run that curl command, it fails, of course. If I run it like this:

curl -v --cacert /etc/grid-security/certificates/UKeScienceCA-2B.pem -i -X POST https://<hostname>:35357/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "<password>"}}}'

it succeeds, as expected. This behaviour looks to me to replicate the original report i.e. the --os-cacert parameter being ignored.