Adding my own experience here, which sounds very similar, using Icehouse. Here's my keystone invocation:
keystone --os-cacert /etc/grid-security/certificates/UKeScienceCA-2B.pem --debug endpoint-list
and here's the debugging output:
DEBUG:keystoneclient.session:REQ: curl -i -X POST https://<hostname>:35357/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "<password>"}}}' INFO:urllib3.connectionpool:Starting new HTTPS connection (1): <hostname> Authorization Failed: SSL exception connecting to https://<hostname>:35357/v2.0/tokens
which looks to me as though the curl command generated doesn't specify the CA certificate.
If I run that curl command, it fails, of course. If I run it like this:
curl -v --cacert /etc/grid-security/certificates/UKeScienceCA-2B.pem -i -X POST https://<hostname>:35357/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "<password>"}}}'
it succeeds, as expected. This behaviour looks to me to replicate the original report i.e. the --os-cacert parameter being ignored.
Adding my own experience here, which sounds very similar, using Icehouse. Here's my keystone invocation:
keystone --os-cacert /etc/grid- security/ certificates/ UKeScienceCA- 2B.pem --debug endpoint-list
and here's the debugging output:
DEBUG:keystonec lient.session: REQ: curl -i -X POST https://<hostname> :35357/ v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python- keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCreden tials": {"username": "admin", "password": "<password>"}}}' connectionpool: Starting new HTTPS connection (1): <hostname> :35357/ v2.0/tokens
INFO:urllib3.
Authorization Failed: SSL exception connecting to https://<hostname>
which looks to me as though the curl command generated doesn't specify the CA certificate.
If I run that curl command, it fails, of course. If I run it like this:
curl -v --cacert /etc/grid- security/ certificates/ UKeScienceCA- 2B.pem -i -X POST https://<hostname> :35357/ v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python- keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCreden tials": {"username": "admin", "password": "<password>"}}}'
it succeeds, as expected. This behaviour looks to me to replicate the original report i.e. the --os-cacert parameter being ignored.