After successful deployment of Openstack Queens - container based , I was unable to perform openstack commands, such as openstack server list.
Expected result:
openstack server list - returns successfully.
nova list - returns succesfully.
Command(s):
openstack server list , nova list , neutron net-list
Environment:
Centos 7.4 Openstack Queens
Actual result:
nova list
ERROR (ClientException): The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-13b9623e-4bba-4fae-8c19-688cc0a918a3)
After running 'nova list' from the controller, I saw the following stack trace in container nova-api.log:
ERROR nova.api.openstack [req-78abc508-62f9-4bc4-adb6-7942a639d9f0 c714531e734e431bb0124aceed382a30 871f9545f52a4b6c8cbf744b09917e58 - default default] Caught error: The label XXX-IPV6-ADDRESS-REMOVED-XXX is not a valid A-label: IDNAError: The label XXX-IPV6-ADDRESS-REMOVED-XXX is not a valid A-label
The issues arises from using IPv6 IPs in our certificate SAN.
After some debugging, I located this github issue that addresses this exact issue:
https://github.com/urllib3/urllib3/issues/1269
I manually tested the following patch found from the above github link, and have successful results after:
diff --git a/urllib3/contrib/pyopenssl.py b/urllib3/contrib/pyopenssl.py
index 2762bca..df9946a 100644
--- a/urllib3/contrib/pyopenssl.py
+++ b/urllib3/contrib/pyopenssl.py
@@ -172,6 +172,8 @@ def _dnsname_to_stdlib(name):
return prefix.encode('ascii') + idna.encode(name)
return idna.encode(name)
+ if ':' in name:
+ return name
name = idna_encode(name)
if sys.version_info >= (3, 0):
name = name.decode('utf-8')
Result:
Openstack commands now return successfully after applying the patch above to the containers.
Is this still an issue?