| Summary: | Quantum client does not support the OS_CACERT environment variable | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Javier Peña <javier.pena> |
| Component: | python-neutronclient | Assignee: | Jakub Ruzicka <jruzicka> |
| Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.0 | CC: | ahoness, breeler, chrisw, hateya, javier.pena, jruzicka, oblaut, yeylon |
| Target Milestone: | beta | Flags: | breeler:
needinfo?
(jruzicka) |
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-neutronclient-2.3.1-1.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-20 00:36:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Javier Peña
2013-11-15 22:01:25 UTC
A workaround is to manually add the CA certificate to /etc/ssl/certs/ca-bundle.crt, doing something like: openssl x509 -in /etc/pki/CA/certs/ca.crt -text >> /etc/ssl/certs/ca-bundle.crt However, any package update could break this again, I guess. The upstream fix mentioned is included in python-neutronclient >= 2.2.5 so this should be fixed in current version. Auto adding >= MODIFIED bugs to beta Would you please add steps for Keystone with SSL configuration - especially on how to create all certs and keys files? The steps followed were: 1- Create an openssl.cnf file with the following contents: [ req ] default_bits = 2048 default_keyfile = keystonekey.pem default_md = default req_extensions = v3_req prompt = no distinguished_name = distinguished_name [ distinguished_name ] countryName = ES stateOrProvinceName = MA localityName = Madrid organizationName = OrgName organizationalUnitName = OrgUnit commonName = loadbalancer.internal.example.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.2 = server1.internal.example.com DNS.3 = server2.internal.example.com DNS.4 = loadbalancer.external.example.com DNS.5 = loadbalancer.internal.example.com IP.1 = 10.26.236.249 IP.2 = 10.26.238.217 IP.3 = 10.26.238.243 IP.4 = 10.26.238.244 2- Generate CSR openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config openssl.conf -nodes 3- In this case, we were using a Microsoft CA, so I just uploaded the CSR and generated a new signed certificate, using a "Web Server" certificate template. I have not tested other cases, but http://www.devsec.org/info/ssl-cert.html seems to provide easy to follow steps for OpenSSL signing. 4- Download the generated certificate in PEM format and place it in the path specified by the configuration file (in our case, /etc/pki/tls/certs/ost-keystone.pem for the certificate and /etc/pki/tls/private/ost-keystone.pem for the private key, generated in step 2). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |