"openstack network list" fails with "An SSL error occurred."

Bug #1560157 reported by Svend Sorensen on 2016-03-21
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Undecided
Unassigned
python-openstackclient
Fix Released
Medium
Richard Theis

Bug Description

Running "openstack network list" fails with "An SSL error occurred" with python-openstackclient version 2.1.0 and newer.

Other commands, like "openstack server list" work with the same version.

$ openstack --version
openstack 2.1.0
$ openstack server list >/dev/null # Works
$ openstack network list >/dev/null # Fails
An SSL error occurred.

Running "openstack network list" works with python-openstackclient version 2.0.0:

$ openstack --version
openstack 2.0.0
$ openstack server list >/dev/null # Works
$ openstack network list >/dev/null # Works
$

Rahul U Nair (rahulunair) wrote :

Kindly attach the logs you get when this command is run ::

openstack --debug network list

Svend Sorensen (svendsorensen) wrote :

Output from "openstack --debug network list" is attached.

Rahul U Nair (rahulunair) wrote :

Can you attach the output of openstack --debug server list as well?

Svend Sorensen (svendsorensen) wrote :

Output of "openstack server --debug list --name bugreport" is attached.

Dean Troyer (dtroyer) wrote :

Are the compute and network endpoints configured the same? ie, do they use the same SSL/TLS termination or configuration?

Terry Howe (thowe-g) wrote :

If you hit the network endpoint in a browser does it have a valid cert?

Also, does 'openstack network list --insecure' work?

Terry Howe (thowe-g) wrote :

openstack catalog list

should give you a list of endpoints.

Richard Theis (rtheis) wrote :

Can you please provide the output of "pip list"?

Svend Sorensen (svendsorensen) wrote :

Output of pip list is attached.

Svend Sorensen (svendsorensen) wrote :

I get the same error with --insecure:

$ openstack network list --insecure
An SSL error occurred.

Svend Sorensen (svendsorensen) wrote :

The endpoints are all using the same wildcard certificate.

Dean Troyer (dtroyer) wrote :

The --insecure bit is a clue, it's internal to OSC, probably connected to the use of the SDK with the network commands and not the others. We may not be setting up TLS correctly there.

Dean Troyer (dtroyer) on 2016-03-25
Changed in python-openstackclient:
status: New → Confirmed
importance: Undecided → Medium
Richard Theis (rtheis) wrote :

It appears that OSC may need to pass verification information when building the connection using the SDK. I'll try recreating this.

Richard Theis (rtheis) wrote :

I deployed a DevStack environment with the tls-proxy service enabled and could not recreate the error.

ubuntu@openstacksdk3:~$ openstack --version
openstack 2.2.1
ubuntu@openstacksdk3:~$ openstack network list
...
ubuntu@openstacksdk3:~$ env | grep OS
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=2.0
OS_PASSWORD=<my-password>
OS_AUTH_URL=https://X.X.X.X:5000/v2.0
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_VOLUME_API_VERSION=2
OS_NO_CACHE=1

Richard Theis (rtheis) wrote :

I tried deploying a DevStack environment with USE_SSL=True but that failed.

Cedric Brandily (cbrandily) wrote :

OSC 2.2.1 authenticates twice when performing a neutron-related command: the 1st one with cacert/verify information which succeeds, the 2nd one without them which fails

Richard Theis (rtheis) wrote :

Does anyone know how to recreate this using a DevStack deployment?

Svend Sorensen (svendsorensen) wrote :

Is there a way to enable SSL in devstack with an existing certificate?

Richard Theis (rtheis) wrote :

The following also worked in my DevStack environment with the tls-proxy service enabled.

$ OS_CACERT=/etc/ssl/certs/ca-certificates.crt openstack network list
...

Richard Theis (rtheis) on 2016-04-07
Changed in python-openstackclient:
assignee: nobody → Richard Theis (rtheis)

Fix proposed to branch: master
Review: https://review.openstack.org/303472

Changed in python-openstackclient:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/303472
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=b5f10f43eb9fd1a046a3e80db09d8bc8c350c218
Submitter: Jenkins
Branch: master

commit b5f10f43eb9fd1a046a3e80db09d8bc8c350c218
Author: Richard Theis <email address hidden>
Date: Thu Apr 7 16:35:38 2016 -0500

    Fix SSL/TLS verification for network commands

    The network commands ignored the --insecure and --os-cacert
    options and OS_CACERT environment variable which prevented
    them from properly completing SSL/TLS verification. This
    resulted in the network commands failing with
    "An SSL error occurred."

    Change-Id: I15167631ef58335e1476c16b828b079e3b0f13c1
    Closes-Bug: #1560157

Changed in python-openstackclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-openstackclient 2.4.0 release.

Could somebody please backport it to Mitaka as well?

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/354271
Reason: rich, seems like not

Richard Theis (rtheis) wrote :

Hi Alexander. OSC normally only backports security fixes to stable branches. Please contact Dean Troyer (dtroyer) if you believe an exception to this policy is needed.

FYI: OSC 2.4.0 should be backwards compatible with Mitaka.

Changed in mos:
status: New → Confirmed

Alexander, Sergii, that fix was backported in downstream MOS 9.1 as bug https://bugs.launchpad.net/mos/+bug/1613679

Setting state of the current bug in MOS as invalid, as there is no way to specify state for a single project as duplicate.

Changed in mos:
status: Confirmed → Invalid

Reviewed: https://review.openstack.org/354271
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=53a79c33f88cea83fb2a90408dd3f5e8dd48a2f5
Submitter: Jenkins
Branch: stable/mitaka

commit 53a79c33f88cea83fb2a90408dd3f5e8dd48a2f5
Author: Richard Theis <email address hidden>
Date: Thu Apr 7 16:35:38 2016 -0500

    Fix SSL/TLS verification for network commands

    The network commands ignored the --insecure and --os-cacert
    options and OS_CACERT environment variable which prevented
    them from properly completing SSL/TLS verification. This
    resulted in the network commands failing with
    "An SSL error occurred."

    Change-Id: I15167631ef58335e1476c16b828b079e3b0f13c1
    Closes-Bug: #1560157
    (cherry picked from commit b5f10f43eb9fd1a046a3e80db09d8bc8c350c218)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/python-openstackclient 2.3.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints