Comment 0 for bug 1958262

Brief Description
-----------------
The insecure option works on the system and the dcmanager commands but not the fm commands. It should work consistently. In addition, if the
commands don’t work with an ICA certificate they should. Priority is on the --insecure option.

Severity
--------
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
1. Enable https: system modify --https_enabled=true
2. Configure remote-cli
3. Run fm alarm-list (from cli)
4. Or fm --fm-url https://(public_fm_endpoint):18002 --os-auth-url https://(public_keystone_endpoint):5000/v3 alarm-list
   for instance: fm --fm-url https://10.20.2.3:18002 --os-auth-url https://10.20.2.3:5000/v3 alarm-list

Expected Behavior
------------------
fm should support --insecure parameter and allow to connect against system configured with self-signed certificates or private ICA certificate.

Actual Behavior
----------------
fm does not support --insecure parameter

fm --insecure alarm-list
usage: fm [--version] [--debug] [-v] [--timeout TIMEOUT]
[--os-username OS_USERNAME] [--os-password OS_PASSWORD]
[--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
[--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
[--os-auth-token OS_AUTH_TOKEN] [--fm-url FM_URL]
[--fm-api-version FM_API_VERSION]
[--os-service-type OS_SERVICE_TYPE]
[--os-endpoint-type OS_ENDPOINT_TYPE]
[--os-user-domain-id OS_USER_DOMAIN_ID]
[--os-user-domain-name OS_USER_DOMAIN_NAME]
[--os-project-id OS_PROJECT_ID] [--os-project-name OS_PROJECT_NAME]
[--os-project-domain-id OS_PROJECT_DOMAIN_ID]
[--os-project-domain-name OS_PROJECT_DOMAIN_NAME]
<subcommand> ...
fm: error: unrecognized arguments: --insecure

Reproducibility
---------------
100% reproducible.

System Configuration
--------------------
Any system with https self-signed or ICA certificate activated.

Branch/Pull Time/Commit
-----------------------

Last Pass
---------
N/A

Timestamp/Logs
--------------
after remote-cli has been configured and https_enabled enabled.

fm --debug alarm-list
DEBUG (extension:189) found extension EntryPoint.parse('noauth = cinderclient.contrib.noauth:CinderNoAuthLoader')
DEBUG (extension:189) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG (extension:189) found extension EntryPoint.parse('none = keystoneauth1.loading._plugins.noauth:NoAuth')
DEBUG (extension:189) found extension EntryPoint.parse('v3oauth1 = keystoneauth1.extras.oauth1._loading:V3OAuth1')
DEBUG (extension:189) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG (extension:189) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG (extension:189) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG (extension:189) found extension EntryPoint.parse('v3samlpassword = keystoneauth1.extras._saml2._loading:Saml2Password')
DEBUG (extension:189) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG (extension:189) found extension EntryPoint.parse('v3adfspassword = keystoneauth1.extras._saml2._loading:ADFSPassword')
DEBUG (extension:189) found extension EntryPoint.parse('v3oidcaccesstoken = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAccessToken')
DEBUG (extension:189) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG (extension:189) found extension EntryPoint.parse('v3kerberos = keystoneauth1.extras.kerberos._loading:Kerberos')
DEBUG (extension:189) found extension EntryPoint.parse('v3totp = keystoneauth1.loading._plugins.identity.v3:TOTP')
DEBUG (extension:189) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG (extension:189) found extension EntryPoint.parse('v3oidcclientcredentials = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectClientCredentials')
DEBUG (extension:189) found extension EntryPoint.parse('v3tokenlessauth = keystoneauth1.loading._plugins.identity.v3:TokenlessAuth')
DEBUG (extension:189) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG (extension:189) found extension EntryPoint.parse('v3multifactor = keystoneauth1.loading._plugins.identity.v3:MultiFactor')
DEBUG (extension:189) found extension EntryPoint.parse('v3applicationcredential = keystoneauth1.loading._plugins.identity.v3:ApplicationCredential')
DEBUG (extension:189) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG (extension:189) found extension EntryPoint.parse('v3fedkerb = keystoneauth1.extras.kerberos._loading:MappedKerberos')
DEBUG (session:494) REQ: curl -g -i -X GET https://10.20.2.3:5000/v3 -H "Accept: application/json" -H "User-Agent: fm keystoneauth1/3.17.1 python-requests/2.22.0 CPython/2.7.5"
DEBUG (connectionpool:815) Starting new HTTPS connection (1): 10.20.2.3:5000
WARNING (base:145) Failed to discover available identity versions when contacting https://10.20.2.3:5000/v3. Attempting to parse version from URL.
DEBUG (base:182) Making authentication request to https://10.20.2.3:5000/v3/auth/tokens
DEBUG (connectionpool:815) Starting new HTTPS connection (2): 10.20.2.3:5000
Must provide Keystone credentials or user-defined endpoint and token, error was: SSL exception connecting to https://10.20.2.3:5000/v3/auth/tokens: HTTPSConnectionPool(host='10.20.2.3', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Test Activity
-------------
Customer Testing

Workaround
----------
There is not workaround.