Bug 1228433 - Tuskarclient does not support --os-cacert
Summary: Tuskarclient does not support --os-cacert
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-tuskarclient
Version: Director
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: Director
Assignee: Ben Nemec
QA Contact: Ola Pavlenko
Depends On: 1236057
TreeView+ depends on / blocked
Reported: 2015-06-04 23:14 UTC by Ben Nemec
Modified: 2015-08-05 13:52 UTC (History)
7 users (show)

Fixed In Version: python-tuskarclient-0.1.17-4.el7ost
Doc Type: Bug Fix
Doc Text:
python-tuskarclient had no support to specify a custom CA certificate to verify SSL certificates from the Tuskar API server. Connections failed due the server using an certificate set unknown to the client. This fix adds the --os-cacert option to python-tuskarclient, which allows specification of the CA certificate path. This provides successful communication with the API server.
Clone Of:
Last Closed: 2015-08-05 13:52:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Description Ben Nemec 2015-06-04 23:14:16 UTC
Description of problem: The tuskar client does not support the --os-cacert parameter, which means a self-signed CA cannot be provided when talking to an endpoint secured by a self-signed certificate.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Configure Keystone to use SSL
2. Attempt to use tuskarclient.  It will fail with the ssl error below.

Actual results:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 245, in main
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 75, in run
    args.func(tuskar_client, args)
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles_shell.py", line 22, in do_role_list
    roles = tuskar.roles.list()
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles.py", line 47, in list
    return self._list(self._path())
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/base.py", line 131, in _list
    body = self.client.get(url).json()
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 355, in get
    return self.client_request("GET", url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 345, in client_request
    self, method, url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 244, in client_request
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 315, in authenticate
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/auth.py", line 203, in authenticate
  File "/usr/lib/python2.7/site-packages/tuskarclient/common/auth.py", line 39, in _do_authenticate
    self._ksclient = ksclient.Client(**ks_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 152, in __init__
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 503, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 196, in get_raw_token_from_identity_service
    _("Authorization Failed: %s") % e)
AuthorizationFailure: Authorization Failed: SSL exception connecting to [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Expected results: A successful command call.

Additional info:

Comment 4 Ana Krivokapic 2015-06-18 14:22:43 UTC
Fixed here: https://review.openstack.org/#/c/190251/

Comment 6 Ola Pavlenko 2015-07-06 15:49:10 UTC
Could you please provide a step-by-step instructions on how did you migrate the undercloud to work with keystone in SSL?
Is it just tuskar related or the whole ?


Comment 7 Ben Nemec 2015-07-07 15:03:47 UTC
Not quite all of the patches needed to enable ssl on the undercloud have merged yet.  I'm hoping that will happen soon (today?) though, and I'll get started on the documentation for it.

Comment 11 James Slagle 2015-07-13 15:24:19 UTC
this was actually remerged and included in the 2015-07-10 puddle. the documentation is included as part of the puddle docs: 

Comment 12 Ola Pavlenko 2015-08-04 13:29:10 UTC

Comment 14 errata-xmlrpc 2015-08-05 13:52:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.