Bug 1207223 - pcs commands fail with "certificate verify failed"
Summary: pcs commands fail with "certificate verify failed"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcs
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Jelinek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-30 13:15 UTC by Andrew Price
Modified: 2015-06-21 00:09 UTC (History)
3 users (show)

Fixed In Version: pcs-0.9.139-5.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-21 00:09:48 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
proposed fix (1.57 KB, patch)
2015-05-26 13:07 UTC, Tomas Jelinek 		no flags Details | Diff
View All

Description Andrew Price 2015-03-30 13:15:24 UTC 
Description of problem:

pcs cluster stop --all (and similar commands) fails due to SSL certificate verification failure.

Version-Release number of selected component (if applicable):

pcs-0.9.139-3.fc23.x86_64
python-2.7.9-5.fc22.x86_64

How reproducible:
100%

Steps to Reproduce:
1. On one node, do pcs cluster stop --all

Actual results:

[root@rawhide1 ~]# pcs cluster stop --all
rawhide2: Unable to connect to rawhide2 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))
rawhide3: Unable to connect to rawhide3 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))
rawhide1: Unable to connect to rawhide1 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))
Error: unable to stop all nodes
rawhide2: Unable to connect to rawhide2 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))
rawhide3: Unable to connect to rawhide3 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))
rawhide1: Unable to connect to rawhide1 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581))


Expected results:

Cluster stops on all nodes.

Additional info:

This is caused by a recent tightening of urllib2's SSL cert checking:  https://www.python.org/dev/peps/pep-0476/

The previous cert checking behaviour (which is prone to MITM attacks) could be reinstated using something like

    sslcontext = ssl._create_unverified_context()
    opener = urllib2.build_opener(
        urllib2.HTTPSHandler(context=sslcontext),
        urllib2.HTTPCookieProcessor()
    )

in sendHTTPRequest() in pcs/utils.py.
Comment 1 Tomas Jelinek 2015-05-26 13:07:14 UTC 
Created attachment 1029932 [details]
proposed fix
Comment 2 Fedora Update System 2015-06-08 12:22:03 UTC 
pcs-0.9.139-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/pcs-0.9.139-5.fc22
Comment 3 Fedora Update System 2015-06-09 15:02:21 UTC 
Package pcs-0.9.139-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pcs-0.9.139-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9639/pcs-0.9.139-5.fc22
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-06-21 00:09:48 UTC 
pcs-0.9.139-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.