Bug 915225
Summary: | RHEVM-SDK: Add constructor parameter validate-cert-chain=True | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Barak <bazulay> | |
Component: | ovirt-engine-sdk | Assignee: | Michael Pasternak <mpastern> | |
Status: | CLOSED ERRATA | QA Contact: | Ilanit Stein <istein> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 3.1.0 | CC: | aburden, acathrow, alonbl, alourie, bazulay, bdagan, dyasny, ecohen, iheim, kroberts, mgoldboi, mpastern, oramraz, Rhev-m-bugs, sgrinber, yeylon, ykaul | |
Target Milestone: | --- | |||
Target Release: | 3.2.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | infra | |||
Fixed In Version: | sf10 | Doc Type: | Bug Fix | |
Doc Text: |
Previously, the SDK ignored the '--insecure' option and would still require a CA certificate when connecting to the REST API. A new parameter, 'validate-cert-chain', which defaults to 'True', has been added to ensure certificate chain validation during connection.
|
Story Points: | --- | |
Clone Of: | 886525 | |||
: | 915231 (view as bug list) | Environment: | ||
Last Closed: | 2013-06-10 20:14:07 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 886525, 915231, 922807 |
Description
Barak
2013-02-25 09:16:12 UTC
Still looks the same on sf-10 (CA cert is not present in default path /etc/pki/ovirt-engine/ca.pem): [root@istein-32 notifier]# rhevm-iso-uploader --insecure list Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): ERROR: Problem connecting to the REST API. Is the service available and does the CA certificate exist? (In reply to comment #2) > Still looks the same on sf-10 > (CA cert is not present in default path /etc/pki/ovirt-engine/ca.pem): > > [root@istein-32 notifier]# rhevm-iso-uploader --insecure list > Please provide the REST API password for the admin@internal oVirt Engine > user (CTRL+D to abort): > ERROR: Problem connecting to the REST API. Is the service available and > does the CA certificate exist? this is SDK RFE, why you're testing it with rhevm-iso-uploader that most likely has not support for this feature? Michael, Would you please explain the steps I should do in order to verify this bug? Thanks, Ilanit. (In reply to comment #4) > Michael, > > Would you please explain the steps I should do in order to verify this bug? > > Thanks, > Ilanit. sure, just try creating SDK proxy for SSL site with validate_cert_chain=False and ca_file="/tmp/xxx", if it works for you (no exception has been thrown), you're done! what is happens behind the scene, CA certificate validation turned off and non-existent "/tmp/xxx" file is ignored. - Verified on sdk rhevm-sdk-3.2.0.5-1.el6ev: - Following python file was run succesfully: from ovirtsdk.xml import params from ovirtsdk.api import API USER = 'admin@internal' PASS = '123456' URL = 'https://meni-rhevm-sf.qa.lab.tlv.redhat.com/' api = API(url=URL, username=USER, password=PASS, validate_cert_chain=False, ca_file="/tmp/xxx") - For validate_cert_chain=True, error is given: Traceback (most recent call last): File "/tmp/test.py", line 9, in <module> api = API(url=URL, username=USER, password=PASS, validate_cert_chain=True, ca_file="/tmp/xxx") File "/usr/lib/python2.6/site-packages/ovirtsdk/api.py", line 118, in __init__ url='/api' File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 199, in request noParse=noParse) File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 261, in __doRequest raise ConnectionError, str(e) ovirtsdk.infrastructure.errors.ConnectionError: [ERROR]::oVirt API connection failure, [Errno 185090050] _ssl.c:328: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0912.html |