When the undercloud is configured with SSL=true any Cli produce multiple SSl warnings. Environment: ------------- instack-undercloud-2.1.2-19.el7ost.noarch instack-0.0.7-1.el7ost.noarch python-rdomanager-oscplugin-0.0.8-32.el7ost.noarch Description : -------------- When Configuring the undercloud to work with SSL - any Cli commmand will produce SSL warnings - sometimes multiple warnings. Steps: ------ (1)Configure undercloud with SSL (2)source stackrc (3)attepmt to excute any CLI command (like: nova list , neutron net-list..) Results (multiple SSl warnings) : -------- [stack@rhos-compute-node-18 ~]$ openstack baremetal configure boot /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning [stack@rhos-compute-node-18 ~]$ openstack baremetal introspection bulk start /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning Setting available n
*** Bug 1255563 has been marked as a duplicate of this bug. ***
*** Bug 1259529 has been marked as a duplicate of this bug. ***
Other than manual code changes, is there a workaround for this?
workaround export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
Hello, [stack@osp7dr2 ~]$ cat stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://192.168.122.2:13000/v2.0 export OS_CACERT=/etc/pki/instack-certs/undercloud.pem export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_NO_CACHE=True export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" After sourcing the file I don't see warnings when executing "nova" command: [stack@osp7dr2 ~]$ source stackrc [stack@osp7dr2 ~]$ nova list +----+------+--------+------------+-------------+----------+ | ID | Name | Status | Task State | Power State | Networks | +----+------+--------+------------+-------------+----------+ +----+------+--------+------------+-------------+----------+ But I see still a warning when using "keystone" command: [stack@osp7dr2 ~]$ keystone user-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning +----------------------------------+------------+---------+--------------------------+ | id | name | enabled | email | +----------------------------------+------------+---------+--------------------------+ | 1df259ce5388436bbc552f084f1887ac | admin | True | root@localhost | | 3d2e15d1ec7245619ec69fc545121a45 | ceilometer | True | email=nobody | | 8b9016da052a4e9cbc6d65f43e132c82 | glance | True | email=nobody | | 8bd69c4718e34c359e3f90df4109e4a9 | heat | True | email=nobody | | 4ae93444e0a7456eb21cb9550da3fbc2 | ironic | True | email=nobody | | c0b92eebe0e0411c847bfefe4642e6dc | neutron | True | email=nobody | | a994c4f90dd44679b71fe061a6ad3ef8 | nova | True | email=nobody | | f5a1240849844d52a7e5004a70cde05a | swift | True | email=nobody | | bbf7430836d84c759a3dc9e1ef672796 | tuskar | True | email=nobody | +----------------------------------+------------+---------+--------------------------+ So, there seems to be a different when executing "nova" commands compared to "keystone" commands. Is this a known issue?
Keystone difference seems to be due to warnings.resetwarnings() which must drop the state of the -W or PYTHONWARNINGS flags. If you comment out warnings.resetwarnings() as below, the work around works with still having the coded Deprecation Warning. Also, inserting warnings.simplefilter('ignore') after warnings.resetwarnings() will also drop the warnings. def __init__(self, parser_class=argparse.ArgumentParser): # Since Python 2.7, DeprecationWarning is ignored by default, enable # it so that the deprecation message is displayed. warnings.simplefilter('once', category=DeprecationWarning) warnings.warn( 'The keystone CLI is deprecated in favor of ' 'python-openstackclient. For a Python library, continue using ' 'python-keystoneclient.', DeprecationWarning) # And back to normal! #warnings.resetwarnings() self.parser_class = parser_class
created new bz for keystone difference https://bugzilla.redhat.com/show_bug.cgi?id=1274858
Hey, I am facing the same issue. Setting the PYTHONWARNING flags did not help much. Instead we need to address the error within urllib3 itself. The error warnings can be disabled there: requests.packages.urllib3.disable_warnings()
Ben, this will be fixed with our ongoing broader SSL work, right?
Mostly. The one exception is that the standalone keystone client doesn't play nicely, but since that is officially deprecated anyway I don't think it's worth spending a lot of effort on.
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
The fix for this has merged upstream: https://review.openstack.org/#/c/368559/
This will be pulled in with puppet-tripleo 5.1.0.
verified for puppet-tripleo-5.4.0-3.el7ost.noarch. [stack@undercloud-0 ~]$ cat stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://192.0.2.2:13000/v2.0 export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_BAREMETAL_API_VERSION=1.15 export OS_NO_CACHE=True export OS_CLOUDNAME=undercloud export OS_IMAGE_API_VERSION=1 [stack@undercloud-0 ~]$ source stackrc [stack@undercloud-0 ~]$ nova list +----+------+--------+------------+-------------+----------+ | ID | Name | Status | Task State | Power State | Networks | +----+------+--------+------------+-------------+----------+ +----+------+--------+------------+-------------+----------+ [stack@undercloud-0 ~]$ openstack user list +----------------------------------+------------------+ | ID | Name | +----------------------------------+------------------+ | 7b1da79c2017475baf128736d4cac098 | admin | | d622821399d342e6a49c1a8db3d28ec3 | neutron | | 460982a6ddc94ff498c70d5218e1d5ca | heat | | 6522ed4501974944ad0e825f7f343869 | aodh | | eefc3b5edbfe4bf0bc3a3c210ee4da6d | nova | | 59f1581347004ddb909213d4effbe8b9 | mistral | | 4599e80f12304017be04f11da9933ea3 | glance | | f332a923539f4663a1ba65e41bb41aec | zaqar-websocket | | 9b69d0af29ea47b5afe1b7f4addf42d2 | ironic | | ece7cc720b844ff0ab4434347b493d7a | ceilometer | | f31f368c8824471fa6e95bb76503a41d | ironic-inspector | | 6c2ea955034b4c35bb48d58169d10bc2 | zaqar | | c8138f92d14d4d8c84c4af46907c5806 | swift | +----------------------------------+------------------+ No security warnings were displayed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html