tempest

certifi certificate as default?

Bug #1872314 reported by Fabian Zimmermann
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Expired
Undecided
Unassigned

Bug Description

Hi,

just run into some issues with tempest-plugins (octavia, murano, ..) which seem not (jet) to set ca_certs during their client-init.

It seems this was no problem until urllib3 changed the default from "CERT_NONE" to "CERT_REQUIRED" ( => https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification )

This change also makes the "ca_certificates_file" config-option no longer "optional", because afaik urllib3 isnt using system ca-certs per default, instead tempest should set "certifi.where()" as default.

This would also help/workaround above plugin-issues until they got config-options for ca_certs themselves.

I already created a small patch to fix this, just would like to ask: What do you think about this change?

See original description
Revision history for this message
Fabian Zimmermann (dev-faz) wrote :

Copy&Paste of my WIP-Patch: http://paste.openstack.org/show/791995/

description: updated
Revision history for this message
Martin Kopec (mkopec) wrote :

Hi, could you please include some error tracebacks, related logs or/and links where the issue occurred (gates, jobs if any) ..

could you also upload the path using gerrit? it will be easier to review and get opinion of others, see this openstack documentation:
https://docs.opendev.org/opendev/infra-manual/latest/developers.html#working-on-bugs

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.opendev.org/720130

Changed in tempest:
assignee: nobody → Fabian Zimmermann (dev-faz)
status: New → In Progress
Revision history for this message
Fabian Zimmermann (dev-faz) wrote :

@mkopec I uploaded my patch to opendev.org. May I ask you to take a look?

Revision history for this message
Martin Kopec (mkopec) wrote :

Hi Fabian,

I'm sorry I've missed your message here (I've forgot to turn all the notifications for this bug when I commented).

Can you, please, explain a little bit more in which situations tempest was failing so that I can try to reproduce the issue and verify that the patch fixes the issue?

Thanks

Revision history for this message
Fabian Zimmermann (dev-faz) wrote :

Hi,

nö Problem. Just run f.e. the Octavia-tempest-plugin against an HTTPS secured api.
Use a valid public cert and the tests will faul.

 Fabian

Revision history for this message
Martin Kopec (mkopec) wrote :

Hi Fabian,

I got some time finally and did manage to deploy devstack with SSL and octavia. However I didn't encounter any problems .. could you be please more specific and share the traceback you got and also the tempest.conf you used?
As I was playing with the environment I had a chance to improve python-tempestconf in regards of SSL -> https://review.opendev.org/c/osf/python-tempestconf/+/762923/ . Feel free to use python-tempestconf project to generate a tempest.conf file for you.

Thanks

Revision history for this message
Martin Kopec (mkopec) wrote :

No updates for almost a year, python-tempestconf improvement mentioned in the comment above could have helped here. I'm marking this as Incomplete for now.

Changed in tempest:
status: In Progress → Incomplete
assignee: Fabian Zimmermann (dev-faz) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for tempest because there has been no activity for 60 days.]

Changed in tempest:
status: Incomplete → Expired
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tempest (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tempest/+/720130
Reason: There is no change/response since long, we are abandoning it feel free to restore an rebase it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.