Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1228433 - Tuskarclient does not support --os-cacert
Tuskarclient does not support --os-cacert
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-tuskarclient (Show other bugs)
Director
Unspecified Unspecified
high Severity high
: ga
: Director
Assigned To: Ben Nemec
Ola Pavlenko
: Triaged
Depends On: 1236057
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-04 19:14 EDT by Ben Nemec
Modified: 2015-08-05 09:52 EDT (History)
7 users (show)

See Also:
Fixed In Version: python-tuskarclient-0.1.17-4.el7ost
Doc Type: Bug Fix
Doc Text:
python-tuskarclient had no support to specify a custom CA certificate to verify SSL certificates from the Tuskar API server. Connections failed due the server using an certificate set unknown to the client. This fix adds the --os-cacert option to python-tuskarclient, which allows specification of the CA certificate path. This provides successful communication with the API server.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-05 09:52:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 13:49:10 EDT

  None (edit)
Description Ben Nemec 2015-06-04 19:14:16 EDT 
Description of problem: The tuskar client does not support the --os-cacert parameter, which means a self-signed CA cannot be provided when talking to an endpoint secured by a self-signed certificate.


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Configure Keystone to use SSL
2. Attempt to use tuskarclient.  It will fail with the ssl error below.
3.

Actual results:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 245, in main
    TuskarShell(sys.argv[1:]).run()
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 75, in run
    args.func(tuskar_client, args)
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles_shell.py", line 22, in do_role_list
    roles = tuskar.roles.list()
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles.py", line 47, in list
    return self._list(self._path())
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/base.py", line 131, in _list
    body = self.client.get(url).json()
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 355, in get
    return self.client_request("GET", url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 345, in client_request
    self, method, url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 244, in client_request
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 315, in authenticate
    self.auth_plugin.authenticate(self)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/auth.py", line 203, in authenticate
    self._do_authenticate(http_client)
  File "/usr/lib/python2.7/site-packages/tuskarclient/common/auth.py", line 39, in _do_authenticate
    self._ksclient = ksclient.Client(**ks_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 152, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 503, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 196, in get_raw_token_from_identity_service
    _("Authorization Failed: %s") % e)
AuthorizationFailure: Authorization Failed: SSL exception connecting to https://192.0.2.2:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Expected results: A successful command call.


Additional info:
Comment 4 Ana Krivokapic 2015-06-18 10:22:43 EDT 
Fixed here: https://review.openstack.org/#/c/190251/
Comment 6 Ola Pavlenko 2015-07-06 11:49:10 EDT 
Could you please provide a step-by-step instructions on how did you migrate the undercloud to work with keystone in SSL?
Is it just tuskar related or the whole ?

Thanks
Comment 7 Ben Nemec 2015-07-07 11:03:47 EDT 
Not quite all of the patches needed to enable ssl on the undercloud have merged yet.  I'm hoping that will happen soon (today?) though, and I'll get started on the documentation for it.
Comment 11 James Slagle 2015-07-13 11:24:19 EDT 
this was actually remerged and included in the 2015-07-10 puddle. the documentation is included as part of the puddle docs: 
http://rhos-release.virt.bos.redhat.com/mburns/2015-07-10.1/internal-html/installation/installing.html
Comment 12 Ola Pavlenko 2015-08-04 09:29:10 EDT 
python-tuskarclient-0.1.18-3.el7ost.noarch
Comment 14 errata-xmlrpc 2015-08-05 09:52:48 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.