python-openstackclient

Network commands ignore insecure option

Bug #1756723 reported by Dr. Jens Harbott on 2018-03-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	New	Undecided	Vishakha Agarwal

Bug Description

In order to reproduce, setup a environment where insecure SSL is being used for the keystone endpoint, either by deploying with a self-signed certificate or simply by running devstack with the tls-proxy service enabled and then removing the CA certs generated by devstack with:

    $ sudo mv /usr/local/share/ca-certificates/devstack-root.crt /usr/local/share/ca-certificates/devstack-root.crt.off
    $ sudo mv /usr/local/share/ca-certificates/devstack-int.crt /usr/local/share/ca-certificates/devstack-int.crt.off
    $ sudo update-ca-certificates

To verify the setup, run:

$ openstack token issue
Could not determine a suitable URL for the plugin

Now adding the "--insecure" option makes this and other commands work, but fails for any network command:

$ openstack --insecure token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------+
| Field | Value
                  |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------+
| expires | 2018-03-18T19:53:03+0000
| id | gAAAAABarrWP_8Q98PpLwe51-k60L6Q6UisF984BdKH6B8qPpHtpe3C34f0DaqLckwcXd77FHX1-vhaQktlae73SueIvO-oJ_46QSPBcdw6twk4WrlOH1t5g7R4R09Z-k73QWDzpaQnWqLBMeItmQQeq8iU7YcRV-iHQR1
7vCWOcw6KzrJ4gVRA |
| project_id | 451ea624535f483a8f9d0b766ceb1021
                  |
| user_id | d965b06ebc9c41e187d1c36bf8598d2d
                  |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------+
$ openstack --insecure image list
+--------------------------------------+--------------------------+--------+
| ID | Name | Status |
+--------------------------------------+--------------------------+--------+
| 12f20988-5ce4-42e2-a48a-6c29a5962ee7 | cirros-0.3.5-x86_64-disk | active |
+--------------------------------------+--------------------------+--------+
$ openstack --insecure network list
SSL exception connecting to https://10.42.0.14/identity/v3/auth/tokens: HTTPSConnectionPool(host='10.42.0.14', port=443): Max retries exceeded with url: /identity/v3/auth/tokens (Ca
used by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
$ openstack --insecure router list
SSL exception connecting to https://10.42.0.14/identity/v3/auth/tokens: HTTPSConnectionPool(host='10.42.0.14', port=443): Max retries exceeded with url: /identity/v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

The reason seems to be that the sdk_connection object that is generated on osc-lib is lacking this attribute.

Vishakha Agarwal (vishakha.agarwal) on 2018-03-21

Changed in python-openstackclient:
assignee:	nobody → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

Vishakha Agarwal (vishakha.agarwal) wrote on 2018-03-21:

Hi Jens,

I am not able to reproduce the following bug on masters. Could you pl confirm on which version you faced this issue.

I performed the following steps-

Changed in the local.conf-
ENABLED_SERVICES+=,tls-proxy
./stack.sh

Moved the certificates and updated it.

$ openstack --insecure network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 56bc853f-bf88-412f-99a3-102e465e593d | private | 331139fc-16e1-4ab6-8977-e31f1f985f08, 56d93b38-64bb-49d7-8a1c-83b7f2c9e94b |
| 977727e1-9e7c-4171-b883-cb7f524645e1 | public | 18911d42-c967-4d6d-90dd-b71405d584c6, a25175a4-5a84-4b42-bd03-5249efd4b372 |
+--------------------------------------+---------+----------------------------------------------------------------------------+

It ran perfectly. Am I missing something?

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2018-03-21:

Can you verify that you are getting an SSL error when you run without the "--insecure" option?

Revision history for this message

Vishakha Agarwal (vishakha.agarwal) wrote on 2018-03-22:

Here is the error -

openstack network list
Failed to discover available identity versions when contacting https://127.0.0.1/identity. Attempting to parse version from URL.
Could not determine a suitable URL for the plugin

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2018-03-22:

This is strange. I'll try once more to reproduce on a fresh instance.

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2018-03-23:

O.k., I missed one step, which strangely only seems to affect the Neutron commands:

unset OS_CACERT

This is being set by openrc and seems to override validation there. If you unset it, you should be able to verify my issue.

Revision history for this message

Vishakha Agarwal (vishakha.agarwal) wrote on 2018-03-23:

Thanx for the response.Performed unset OS_CACERT, still working fine.

openstack --insecure network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| a1bd2d14-2ff7-4ad2-ace0-3905a17d824f | private | aaaf2292-6363-414f-8dde-52a59b6abac9, eb6d5470-9fb5-4a45-a896-e76050f90883 |
| d5410bea-40a0-4d0d-bb57-2c174a2072d3 | public | 63b97dad-f80a-434c-89d2-dcd8b1c40777, 6bf6c6f2-92b9-4384-a6e4-b1e22aa95cc8 |
+--------------------------------------+---------+----------------------------------------------------------------------------+
stack@ubuntu-xenial:/usr/local/share/ca-certificates$ openstack network list
Unable to establish connection to https://127.0.0.1/identity/v3/auth/tokens: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /identity/v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.