python-neutronclient

Debian/Ubuntu system wide CA certificate file doesn't seem to be used

Bug #1307585 reported by Stuart McLaren
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-neutronclient
Expired
Wishlist
Unassigned

Bug Description

When a CA certificate is added to the OS bundle on Debian/Ubuntu using 'update-ca-certificates' the
new system wide cert is not used by python-neutronclient.

If you create a CA certificate and add it to the default locations by copying it to /usr/local/share/ca-certificates/ and running 'update-ca-certificates' it should be picked up by anything using openssl.

For example curl:

1) before running update-ca-certificates:

 $ curl https://192.0.2.254:13776
 curl: (60) SSL certificate problem: unable to get local issuer certificate
 More details here: http://curl.haxx.se/docs/sslcerts.html

2) after running update-ca-certificates:

$ curl https://192.0.2.254:13776
{"versions": [{"status": "CURRENT", "updated": "2012-01-04T11:33:21Z", "id": "v1.0", "links": [{"href": "http://192.0.2.254:13776/v1/", "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://192.0.2.254:13776/v2/", "rel": "self"}]}]}

although pointing directly to the CA file does work:

$ neutron --os-cacert /etc/ssl/from-heat-ca.crt router-list
+--------------------------------------+----------------+-----------------------------------------------------------------------------+
| id | name | external_gateway_info |
+--------------------------------------+----------------+-----------------------------------------------------------------------------+
| d3790a7b-bc42-40f3-a93f-7255e5a845ee | default-router | {"network_id": "83680791-5f3e-408b-baac-cd4ee8a7c398", "enable_snat": true} |
+--------------------------------------+----------------+-----------------------------------------------------------------------------+

after update-ca-certificates has been run the CA cert is not picked up automatically from the system-wide location:

$ neutron router-list
SSL certificate validation has failed: [Errno 1] _ssl.c:509: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Is there an official location for a single file version of CA cert?
If the location varies across distributions, we (the upstream developer) cannot know which location is good.
AFAIK, it is /etc/ssl/certs/ca-certificates.crt in Ubuntu and /etc/pki/tls/certs/ca-bundle.crt in RHEL.

In the case of "curl", the location of the system-wide cert file is specified when curl debian package is compiled.

How about other openstack CLI command like novaclient?
If they support it, any pointer would be appreciated.

Any suggestions?

The easiest way is to specify OS_CERT environment variables.

Changed in python-neutronclient:
status: New → Incomplete
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

If you're using the 'requests' library it looks like it can be picked up with:

https://review.openstack.org/#/c/117247/

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

(Although, that may just be the set of certs that come with requests rather than the system ones.)

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Sorry for my late response.
requests library has a really nice feature! Thanks.

Changed in python-neutronclient:
status: Incomplete → Confirmed
importance: Undecided → Wishlist
Tomohiro Takata (t-takata)
Changed in python-neutronclient:
assignee: nobody → Tomohiro Takata (t-takata)
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 172 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in python-neutronclient:
assignee: Tomohiro Takata (t-takata) → nobody
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for python-neutronclient because there has been no activity for 60 days.]

Changed in python-neutronclient:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.