When using candidate/edge channels (ussuri/victoria) getting error on accessing SSL CA file

Bug #1911234 reported by Drew Freiberger
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Clients Snap
New
Undecided
Unassigned

Bug Description

It appears that the CACERT needs to be within the ~/snap/openstackclients/common directory to work with OS_CACERT.

fails:

OS_CACERT=/home/myuser/some-directory/ca-bundle.pem
myuser@infra1:~$ openstack resource provider list
Failed to discover available identity versions when contacting https://keystone.lon1.openstack.hyperoptic.com:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://keystone.mysite.com:5000/v3/auth/tokens: HTTPSConnectionPool(host='keystone.lon1.openstack.hyperoptic.com', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("unable to load trusted certificates: Error([('system library', 'fopen', 'Permission denied'), ('BIO routines', 'BIO_new_file', 'system lib'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')],)",),))

succeeds:
OS_CACERT=/home/myuser/openstackclients/common/ca-bundle.pem
myuser@infra1:~$ openstack resource provider list
+--------------------------------------+--------------------------------------+------------+
| uuid | name | generation |
+--------------------------------------+--------------------------------------+------------+
....snip....

It is my opinion that openstackclients needs to support the homedir plug to allow access to OS_CACERT in directories other than system paths and ~/snap/$snapname paths.

Workaround is to copy your CA bundle into ~/snap/openstackclients/common and point OS_CACERT to that path.

Revision history for this message
James Page (james-page) wrote :

Hi Drew

I've done work over the last week or so to rationalise the plugging for this snap - could you try again? The openstack entry point should have access to $HOME (and other .* directories and files).

Changed in snap-openstackclients:
status: New → Incomplete
Revision history for this message
Xav Paice (xavpaice) wrote :

I tried this on another site, where the ca cert was stored in /etc/ssl/certs. That failed, but I was able to put the cert in any location within $HOME and it worked out OK. What I wonder is if that's a desired design or if we really want to only address certs in ~/ outside of the ones installed in the snap.

Changed in snap-openstackclients:
status: Incomplete → New
Revision history for this message
Xav Paice (xavpaice) wrote :

I should mention, the snap version:

openstackclients victoria 134 latest/stable canonical✓ -

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.