Description of problem: The tuskar client does not support the --os-cacert parameter, which means a self-signed CA cannot be provided when talking to an endpoint secured by a self-signed certificate.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. Configure Keystone to use SSL
2. Attempt to use tuskarclient. It will fail with the ssl error below.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 245, in main
File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 75, in run
File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles_shell.py", line 22, in do_role_list
roles = tuskar.roles.list()
File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles.py", line 47, in list
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/base.py", line 131, in _list
body = self.client.get(url).json()
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 355, in get
return self.client_request("GET", url, **kwargs)
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 345, in client_request
self, method, url, **kwargs)
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 244, in client_request
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 315, in authenticate
File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/auth.py", line 203, in authenticate
File "/usr/lib/python2.7/site-packages/tuskarclient/common/auth.py", line 39, in _do_authenticate
self._ksclient = ksclient.Client(**ks_kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 152, in __init__
File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 503, in authenticate
resp = self.get_raw_token_from_identity_service(**kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 196, in get_raw_token_from_identity_service
_("Authorization Failed: %s") % e)
AuthorizationFailure: Authorization Failed: SSL exception connecting to https://192.0.2.2:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Expected results: A successful command call.
Fixed here: https://review.openstack.org/#/c/190251/
Could you please provide a step-by-step instructions on how did you migrate the undercloud to work with keystone in SSL?
Is it just tuskar related or the whole ?
Not quite all of the patches needed to enable ssl on the undercloud have merged yet. I'm hoping that will happen soon (today?) though, and I'll get started on the documentation for it.
this was actually remerged and included in the 2015-07-10 puddle. the documentation is included as part of the puddle docs:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.