Bug 1242675 - When the undercloud is configured with SSL=true any Cli command produce multiple SSL SecurityWarning.
Summary: When the undercloud is configured with SSL=true any Cli command produce multi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 7.0 (Kilo)
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ga
: 10.0 (Newton)
Assignee: Juan Antonio Osorio
QA Contact: Rodrigo Duarte
URL:
Whiteboard:
: 1259529 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-13 23:06 UTC by Omri Hochman
Modified: 2019-08-15 04:52 UTC (History)
20 users (show)

Fixed In Version: puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 15:13:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 238639 'None' 'ABANDONED' 'stackrc improvements for SSL undercloud' 2019-11-12 17:11:05 UTC
OpenStack gerrit 368559 'None' 'MERGED' 'Fill DNS name for haproxy certificates' 2019-11-12 17:11:06 UTC

Description Omri Hochman 2015-07-13 23:06:38 UTC
When the undercloud is configured with SSL=true any Cli produce multiple SSl warnings.   

Environment:
-------------
instack-undercloud-2.1.2-19.el7ost.noarch
instack-0.0.7-1.el7ost.noarch
python-rdomanager-oscplugin-0.0.8-32.el7ost.noarch


Description :
--------------
When Configuring the undercloud to work with SSL - any Cli commmand will produce SSL warnings - sometimes multiple warnings. 

Steps: 
------
(1)Configure undercloud with SSL 
(2)source stackrc 
(3)attepmt to excute any CLI command (like: nova list ,  neutron net-list..) 


Results (multiple SSl warnings) : 
--------
[stack@rhos-compute-node-18 ~]$ openstack baremetal configure boot
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
[stack@rhos-compute-node-18 ~]$ openstack baremetal introspection bulk start
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Setting available n

Comment 4 Mike Burns 2015-08-26 16:38:47 UTC
*** Bug 1255563 has been marked as a duplicate of this bug. ***

Comment 5 Mike Burns 2015-09-02 23:36:08 UTC
*** Bug 1259529 has been marked as a duplicate of this bug. ***

Comment 7 Jon Thomas 2015-09-04 19:25:29 UTC
Other than manual code changes, is there a workaround for this?

Comment 8 Jon Thomas 2015-09-25 15:17:43 UTC
workaround


export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"

Comment 10 Jeremy 2015-10-21 13:45:31 UTC
Hello,

[stack@osp7dr2 ~]$ cat stackrc
export NOVA_VERSION=1.1
export OS_PASSWORD=$(sudo hiera admin_password)
export OS_AUTH_URL=https://192.168.122.2:13000/v2.0
export OS_CACERT=/etc/pki/instack-certs/undercloud.pem
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export COMPUTE_API_VERSION=1.1
export OS_NO_CACHE=True
export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"

After sourcing the file I don't see warnings when executing "nova" command:

[stack@osp7dr2 ~]$ source stackrc
[stack@osp7dr2 ~]$ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

But I see still a warning when using "keystone" command:

[stack@osp7dr2 ~]$ keystone user-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
+----------------------------------+------------+---------+--------------------------+
|                id                |    name    | enabled |          email           |
+----------------------------------+------------+---------+--------------------------+
| 1df259ce5388436bbc552f084f1887ac |   admin    |   True  |      root@localhost      |
| 3d2e15d1ec7245619ec69fc545121a45 | ceilometer |   True  | email=nobody@example.com |
| 8b9016da052a4e9cbc6d65f43e132c82 |   glance   |   True  | email=nobody@example.com |
| 8bd69c4718e34c359e3f90df4109e4a9 |    heat    |   True  | email=nobody@example.com |
| 4ae93444e0a7456eb21cb9550da3fbc2 |   ironic   |   True  | email=nobody@example.com |
| c0b92eebe0e0411c847bfefe4642e6dc |  neutron   |   True  | email=nobody@example.com |
| a994c4f90dd44679b71fe061a6ad3ef8 |    nova    |   True  | email=nobody@example.com |
| f5a1240849844d52a7e5004a70cde05a |   swift    |   True  | email=nobody@example.com |
| bbf7430836d84c759a3dc9e1ef672796 |   tuskar   |   True  | email=nobody@example.com |
+----------------------------------+------------+---------+--------------------------+

So, there seems to be a different when executing "nova" commands compared to "keystone" commands.

Is this a known issue?

Comment 12 Jon Thomas 2015-10-21 15:10:51 UTC
Keystone difference seems to be due to warnings.resetwarnings() which must drop the state of the -W or PYTHONWARNINGS flags. If you comment out warnings.resetwarnings() as below, the work around works with still having the coded Deprecation Warning.

Also, inserting 

warnings.simplefilter('ignore')

after 

warnings.resetwarnings()

will also drop the warnings.



    def __init__(self, parser_class=argparse.ArgumentParser):

        # Since Python 2.7, DeprecationWarning is ignored by default, enable
        # it so that the deprecation message is displayed.
        warnings.simplefilter('once', category=DeprecationWarning)
        warnings.warn(
            'The keystone CLI is deprecated in favor of '
            'python-openstackclient. For a Python library, continue using '
            'python-keystoneclient.', DeprecationWarning)
        # And back to normal!
        #warnings.resetwarnings()
        self.parser_class = parser_class

Comment 14 Jon Thomas 2015-10-23 17:13:22 UTC
created new bz for keystone difference 

https://bugzilla.redhat.com/show_bug.cgi?id=1274858

Comment 17 Francisco Javier Lopez Y Grueber 2015-12-14 11:25:00 UTC
Hey, 

I am facing the same issue. 

Setting the PYTHONWARNING flags did not help much. 

Instead we need to address the error within urllib3 itself. 

The error warnings can be disabled there: 

requests.packages.urllib3.disable_warnings()

Comment 18 Jaromir Coufal 2015-12-16 12:03:20 UTC
Ben, this will be fixed with our ongoing broader SSL work, right?

Comment 19 Ben Nemec 2015-12-17 16:17:34 UTC
Mostly.  The one exception is that the standalone keystone client doesn't play nicely, but since that is officially deprecated anyway I don't think it's worth spending a lot of effort on.

Comment 20 Mike Burns 2016-04-07 20:43:53 UTC
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 23 Nathan Kinder 2016-09-16 17:09:44 UTC
The fix for this has merged upstream:

https://review.openstack.org/#/c/368559/

Comment 24 Nathan Kinder 2016-09-22 19:11:39 UTC
This will be pulled in with puppet-tripleo 5.1.0.

Comment 28 Rodrigo Duarte 2016-12-04 18:16:59 UTC
verified for puppet-tripleo-5.4.0-3.el7ost.noarch.

[stack@undercloud-0 ~]$ cat stackrc 
export NOVA_VERSION=1.1
export OS_PASSWORD=$(sudo hiera admin_password)
export OS_AUTH_URL=https://192.0.2.2:13000/v2.0
export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export COMPUTE_API_VERSION=1.1
export OS_BAREMETAL_API_VERSION=1.15
export OS_NO_CACHE=True
export OS_CLOUDNAME=undercloud
export OS_IMAGE_API_VERSION=1

[stack@undercloud-0 ~]$ source stackrc

[stack@undercloud-0 ~]$ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

[stack@undercloud-0 ~]$ openstack user list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 7b1da79c2017475baf128736d4cac098 | admin            |
| d622821399d342e6a49c1a8db3d28ec3 | neutron          |
| 460982a6ddc94ff498c70d5218e1d5ca | heat             |
| 6522ed4501974944ad0e825f7f343869 | aodh             |
| eefc3b5edbfe4bf0bc3a3c210ee4da6d | nova             |
| 59f1581347004ddb909213d4effbe8b9 | mistral          |
| 4599e80f12304017be04f11da9933ea3 | glance           |
| f332a923539f4663a1ba65e41bb41aec | zaqar-websocket  |
| 9b69d0af29ea47b5afe1b7f4addf42d2 | ironic           |
| ece7cc720b844ff0ab4434347b493d7a | ceilometer       |
| f31f368c8824471fa6e95bb76503a41d | ironic-inspector |
| 6c2ea955034b4c35bb48d58169d10bc2 | zaqar            |
| c8138f92d14d4d8c84c4af46907c5806 | swift            |
+----------------------------------+------------------+

No security warnings were displayed.

Comment 30 errata-xmlrpc 2016-12-14 15:13:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.