Unhelpful error message when keystone uses self-signed SSL certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Fix Released
|
Low
|
Rodrigo Duarte |
Bug Description
When keystone is configured to use SSL and its certificates are not signed by a trusted authority, all the keystone client commands return:
Authorization Failed: SSL exception connecting to https:/
It would be better to instruct the user to pass the "--insecure" command-line option to the keystone command.
I set up my keystone with SSL like this:
1) Uncomment the following lines in keystone.conf:
[ssl]
enable = True
certfile = /etc/keystone/
keyfile = /etc/keystone/
ca_certs = /etc/keystone/
ca_key = /etc/keystone/
2) Run 'keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone' and restart the service
3) Change the endpoints in the SQL table to point to https://...
To get the error, source the following file (change the username and password, and make sure the endpoint correctly points to https://...):
export OS_USERNAME=admin
export OS_TENANT_
export OS_PASSWORD=
export OS_AUTH_URL=https:/
Now run: keystone user-list
You get: Authorization Failed: SSL exception connecting to https:/
You are supposed to run: keystone --insecure user-list
It's really hard to tell by this error message what the cause of the problems is. In addition to that, there is nothing in the keystone logs. Please provide a more informative error message, and possibly some logs to indicate what went wrong.
Thanks :)
Changed in python-keystoneclient: | |
assignee: | nobody → Chaitanya Challa (cvskchaitanya) |
tags: | added: low-hanging-fruit |
Changed in python-keystoneclient: | |
assignee: | Chaitanya Challa (cvskchaitanya) → nobody |
Changed in python-keystoneclient: | |
milestone: | none → 1.3.0 |
status: | Fix Committed → Fix Released |
There wouldn't be any impact on keystone itself (nor anything for it to log), but we might be able to get some better feedback out of requests, which is what is producing the SSL validation failure.