StarlingX

DC: "system --os-endpoint-type adminURL show" fails

Bug #1889942 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
In a DC system (where services' admin endpoints are https), the "system --os-endpoint-type adminURL show" fails with certificate verification error:

[root@controller-1 sysadmin(keystone_admin)]# system --os-endpoint-type adminURL show
Validation of the Ssl certificate failed. reason=[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

This happens on both System Controller and subclouds.

Severity
--------
Minor

Steps to Reproduce
------------------
In a DC system, run system command to query inventory by admin endpoint:

system --os-endpoint-type adminURL show
system --os-endpoint-type adminURL host-list

The command will fail with certificate verification error.

Expected Behavior
------------------
The command successfully executed.

Actual Behavior
----------------
The command will fail with certificate verification error.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
On both System Controller and subclouds of a DC system.

Branch/Pull Time/Commit
-----------------------
stx master

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Developer Testing

Workaround
----------
Specify the --ca-file option to point to the system's trusted CA cert bundle:
system --ca-file /etc/ssl/certs/ca-bundle.crt --os-endpoint-type adminURL show

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.5.0 / medium - would be nice to fix, but there is a workaround

summary: - In DC system "system --os-endpoint-type adminURL show" fails
+ DC: "system --os-endpoint-type adminURL show" fails
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.5.0 stx.distcloud
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748536

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/748536
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=c5d81b84e2c683abcfaaecd263ddfe78197d15df
Submitter: Zuul
Branch: master

commit c5d81b84e2c683abcfaaecd263ddfe78197d15df
Author: Andy Ning <email address hidden>
Date: Thu Aug 27 11:57:14 2020 -0400

    Fix default trusted CA file for system command

    Currently system commands doesn't have default trusted CA file due to
    a bug in cgtsclient. This will cause system commands to fail when it
    accesses services' admin endpoints which are https in DC system.

    With this fix, system commands use OS trusted CA files as default to
    verify certificate.

    Change-Id: I133ec024d98839e96fa67223ada4d22820d08086
    Closes-Bug: 1889942
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.