Description of problem: pcs cluster stop --all (and similar commands) fails due to SSL certificate verification failure. Version-Release number of selected component (if applicable): pcs-0.9.139-3.fc23.x86_64 python-2.7.9-5.fc22.x86_64 How reproducible: 100% Steps to Reproduce: 1. On one node, do pcs cluster stop --all Actual results: [root@rawhide1 ~]# pcs cluster stop --all rawhide2: Unable to connect to rawhide2 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) rawhide3: Unable to connect to rawhide3 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) rawhide1: Unable to connect to rawhide1 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) Error: unable to stop all nodes rawhide2: Unable to connect to rawhide2 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) rawhide3: Unable to connect to rawhide3 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) rawhide1: Unable to connect to rawhide1 ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)) Expected results: Cluster stops on all nodes. Additional info: This is caused by a recent tightening of urllib2's SSL cert checking: https://www.python.org/dev/peps/pep-0476/ The previous cert checking behaviour (which is prone to MITM attacks) could be reinstated using something like sslcontext = ssl._create_unverified_context() opener = urllib2.build_opener( urllib2.HTTPSHandler(context=sslcontext), urllib2.HTTPCookieProcessor() ) in sendHTTPRequest() in pcs/utils.py.
Created attachment 1029932 [details] proposed fix
pcs-0.9.139-5.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/pcs-0.9.139-5.fc22
Package pcs-0.9.139-5.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pcs-0.9.139-5.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9639/pcs-0.9.139-5.fc22 then log in and leave karma (feedback).
pcs-0.9.139-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.