When connecting an appliance to an OpenStack Cloud provider secured with SSL and attempting to validate the credentials, in the WebUI the user will see: Unexpected response returned from system, see log for details This appears to be a new error with 5.4, but it would be nice to have this tested in 5.3 to be certain. This was identified in a talk.manageiq question: http://talk.manageiq.org/t/ssl-failing-on-openstack-provider/595 Steps to reproduce: 1. Navigate to Clouds -> Providers -> Add new cloud provider 2. Enter details for an OpenStack Cloud environment protected with SSL 3. Click "Validate" Actual Results: The error "Unexpected response returned from system, see log for details" appears Expected Results: The message indicating that the credentials were successfully validated.
New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/9de72f3cd399f1f6363c052defefc66198f4389d commit 9de72f3cd399f1f6363c052defefc66198f4389d Author: Greg Blomquist <gblomqui> AuthorDate: Mon Mar 16 14:28:20 2015 -0400 Commit: Greg Blomquist <gblomqui> CommitDate: Tue Mar 17 20:53:41 2015 -0400 Ensure that all Openstack connections try SSL This bug uncovered the fact that some connections to OpenStack were not attempting to use SSL. The main issue with OpenStack SSL connections is that we don't have: 1) standard ports from the OpenStack system designated as SSL ports for the Keystone service, and 2) a way to specify (in the ManageIQ database) whether a Provider's connection should be SSL or not This leaves the OpenStack connection code with the responsibility of checking whether connections should be trying SSL or not. This was originally implemented for the OpenStack API calls, but missed the call ManageIQ makes with an "unscoped token" when trying to establish the entire list of tenants available in an OpenStack environment. This patch introduces the notion of attempting all connections to OpenStack first without SSL, then, failing non-ssl, with SSL. https://bugzilla.redhat.com/show_bug.cgi?id=1201920 lib/openstack/openstack_handle/handle.rb | 34 ++++++++++++++-------- .../openstack_handle/identity_delegate.rb | 21 ++++++------- lib/spec/openstack/openstack_handle/handle_spec.rb | 2 +- 3 files changed, 34 insertions(+), 23 deletions(-)
New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/1de2abc084798c590ea0ce17957c347def2731a0 commit 1de2abc084798c590ea0ce17957c347def2731a0 Author: Greg Blomquist <gblomqui> AuthorDate: Mon Mar 16 14:50:37 2015 -0400 Commit: Greg Blomquist <gblomqui> CommitDate: Tue Mar 17 20:53:41 2015 -0400 Bypass default_tenant_name lookup when validating credentials It is unnecessary to determine the user's default tenant name when just validating the credentials. Setting the service to the Identity service will bypass the attempt to find the default tenant name and jump directly to checking if the credentials are valid. https://bugzilla.redhat.com/show_bug.cgi?id=1201920 vmdb/app/models/mixins/ems_openstack_mixin.rb | 1 + 1 file changed, 1 insertion(+)
Verified in 5.4.0.0.22 against 5.4.0.0.11 where the error happens. I used a SSL secured port 5443 for connection and it worked for .22 and failed for .11 with the same error flash message as described in the bug description.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1100.html