certificate install returns code 200 on errors

Bug #1827206 reported by Allain Legacy on 2019-05-01
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Brief Description
The "system certificate-install" command does not return proper error return codes when a validation failure occurs. This causes users of the API to consider that the last command submitted has succeeded.

Note that the example listed below represents only a single code path in the certificate install. All errors paths need to be fixed as there are multiple examples of this problem occurring.


Steps to Reproduce
system certificate-install -m dummy some-cert-file.pem

Expected Behavior
Any command with invalid input should return a 400 series error to indicate that the input data is invalid.

Actual Behavior
The API request completes with a 200 return code which is an "OK" return code.


System Configuration

Branch/Pull Time/Commit

Last Pass

This is the verbose/debug output from running the command listed in the steps to reproduce. Note the "200" response at the end of the POST line.

DEBUG (connectionpool:395) "POST /v1/certificate/certificate_install HTTP/1.1" 200 47
Certificate vbox-aio.pem not installed: Invalid mode: dummy

Test Activity
Developer Testing

Frank Miller (sensfan22) wrote :

While this issue does not gate the stx.2.0 release, the error paths in the code should be cleaned up to provide a proper error reason.

Adding stx.helpwanted tag. This would be a good candidate for a newer community member to take on.

Changed in starlingx:
status: New → Triaged
importance: Undecided → Low
tags: added: stx.helpwanted
Changed in starlingx:
importance: Low → Medium
Ghada Khalil (gkhalil) on 2019-05-06
tags: added: stx.config
Ghada Khalil (gkhalil) wrote :

By convention, non-gating issues are marked as low priority.

Changed in starlingx:
importance: Medium → Low
Lin Shuicheng (shuicheng) wrote :

Reproduced it, will try to check it.

Changed in starlingx:
assignee: nobody → Lin Shuicheng (shuicheng)
Lin Shuicheng (shuicheng) wrote :

Hi all,
I prefer to return "400 BAD REQUEST", "to indicate that the input data is invalid."

Here is the status code 400's definition:
The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Please notify me if you have better suggestion. Here is the link for http status code definition:

Cindy Xie (xxie1) on 2019-06-28
Changed in starlingx:
assignee: Lin Shuicheng (shuicheng) → zhao.shuai (zhao.shuai)
wanghejun (wanghejun) wrote :
Download full text (5.9 KiB)

  With the help of Allain Legacy, I have reproduced bugs in the latest starlingx (2019/06/26) environment. Currently, the script code is parsed and debugged mainly according to the log. The scope of the bug may be a bit large and takes a little time.
  If you have good suggestions, welcome to share.
  The following is the log of the bug reproduction.

[sysadmin@controller-0 ~(keystone_admin)]$ system --debug certificate-install -m dummy mykey.pem
DEBUG (base:187) Making authentication request to
DEBUG (connectionpool:207) Starting new HTTP connection (1):
DEBUG (connectionpool:395) "POST /v3/auth/tokens HTTP/1.1" 201 4540
DEBUG (base:192) {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "02cf8679e4bd4feebde070949562670f", "name": "reader"}, {"id": "97e6164b985f44b3899ad8022de3eb60", "name": "member"}, {"id": "09115934acf44204b3c4df69742c6286", "name": "admin"}], "expires_at": "2019-07-05T08:42:27.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "0c2bf514002948238cbecadda2440dce", "name": "admin"}, "catalog": [{"endpoints": [{"url": "", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "646e43841db1442f89e792bfee0d1f03"}, {"url": "", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "eb616ad932e14bef86a5bfda895187d3"}, {"url": "", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "76017e49ff524950a8653cd189e1ca7b"}], "type": "faultmanagement", "id": "962af3c06eab47c385eeb74f6128e721", "name": "fm"}, {"endpoints": [{"url": "", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "35a27d0482c14ce99e0a23d25c8a963d"}, {"url": "", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "1fae0f3821514985943d302d47d1780b"}, {"url": "", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "fd2f04cb9ef34c0d93763030624541a6"}], "type": "key-manager", "id": "3bd317389fd14168adbbfdbc9aa60f1c", "name": "barbican"}, {"endpoints": [{"url": "", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "d14134cd59b146ad814f404189ad12de"}, {"url": "", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "5a2368d1c33e4c88bf9fd6b92a14feb5"}, {"url": "", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "bdf089a0187440b58323a181ca501e9b"}], "type": "identity", "id": "bb9aab9eafbb4ce2bbb3e1d333a15a71", "name": "keystone"}, {"endpoints": [{"url": "", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "99f16d7f6ee146b5b7d39b3025a21e24"}, {"url": "", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "1204f5edebe44657aa0ee9f631e6c67b"}, {"url": "


Cindy Xie (xxie1) wrote :

Issue reproduced by Neusoft engineer.

Changed in starlingx:
status: Triaged → Confirmed
wanghejun (wanghejun) wrote :

    I recently mainly analyzed the log information of the command and the script code related to the http status code. Currently, I have not found a place to set the status code.In the course of the investigation, there are several speculations.
    1.code return value 200 indicates that the server and the client are successfully connected, and successfully received the POST request, and has not performed the related operations of the certificate installation, so it returns 200.
    2.The format of the command "system --debug certificate-install -m dummy mykey.pem" is correct. The parameter mode is set incorrectly (dummy). The http server does not recognize the error.
    3.http status code is a standard numeric code common to HTTP. In openstack, the corresponding code return value judgment processing, whether it may have been encapsulated, is directly obtained through system functions during use.

    The following are two cases (mode=default) that I debug this command, for reference only.
      [sysadmin@controller-0 ~(keystone_admin)]$ system --debug certificate-install mykey.pem
      DEBUG (base:187) Making authentication request to
      DEBUG (connectionpool:207) Starting new HTTP connection (1):
      DEBUG (connectionpool:395) "POST /v3/auth/tokens HTTP/1.1" 201 4540
      DEBUG (connectionpool:207) Starting new HTTP connection (1):
      DEBUG (connectionpool:395) "POST /v1/certificate/certificate_install HTTP/1.1" 200 82
      Certificate mykey.pem not installed: No certificates have been added, https is not enabled.

      [sysadmin@controller-0 ~(keystone_admin)]$ system modify --https_enabled=True
      [sysadmin@controller-0 ~(keystone_admin)]$ system --debug certificate-install mykey.pem
      DEBUG (base:187) Making authentication request to
      DEBUG (connectionpool:207) Starting new HTTP connection (1):
      DEBUG (connectionpool:395) "POST /v3/auth/tokens HTTP/1.1" 201 4540
      DEBUG (connectionpool:207) Starting new HTTP connection (1):
      DEBUG (connectionpool:395) "POST /v1/certificate/certificate_install HTTP/1.1" 500 0
      Certificate mykey.pem not installed: Expecting value: line 1 column 1 (char 0)

    The error in case 2 above (code=500) may be because HTTPS does not currently support container configuration, see https://wiki.openstack.org/wiki/StarlingX/Containers/Limitations.

    According to the code "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/certificate.py", the parameter mode in the command is defined as follows:
         default: install certificate for ssl
         tpm_mode: install certificate to tpm devices for ssl
         docker_registry: install certificate for docker registry
         openstack: install certificate for openstack
         openstack_ca: install ca certificate for openstack

    If you have good suggestions, welcome to share.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers