Bug 1251892 - instack-undercloud: "openstack undercloud install" exits with SSL error when using non self-signed certificates
instack-undercloud: "openstack undercloud install" exits with SSL error when ...
Status: CLOSED NEXTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
Director
Unspecified Unspecified
high Severity unspecified
: ---
: 10.0 (Newton)
Assigned To: Juan Antonio Osorio
Rodrigo Duarte
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-10 04:52 EDT by AlbertoG
Modified: 2016-10-11 12:27 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-22 15:04:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
install-undercloud log (1.24 MB, text/plain)
2015-08-10 04:52 EDT, AlbertoG
no flags Details

  None (edit)
Description AlbertoG 2015-08-10 04:52:34 EDT
Created attachment 1060968 [details]
install-undercloud log

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.Create a self signed CA
2.Add the CA to the trust store
3.Create a service certificate signed by the CA
4.copy the cert pem file to "/etc/pki/instack-certs"
5.configure the parameter "undercloud_service_certificate" in undercloud.conf pointing to the cer pem file
6. run "openstack undercloud install"

Actual results:
the installation fails with the following error: "ERROR: openstack SSL exception connecting to https://10.10.10.3:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Expected results:
successful installation 

Additional info:
The issue doesn't happen when using self signed certificates.
Comment 3 AlbertoG 2015-08-10 05:02:52 EDT
During the installation, the file "/root/stackrc" is created with the OS_CACERT variable, which points to the service certificate provided in undercloud.conf. This makes the ssl libraries of the openstack clients to validate the service certificate against itself, which ends in a validate failure (as the certificate is signed by a CA)

The contents of the stackrc file:

[stack@ospd ~]$ sudo cat /root/stackrc
export NOVA_VERSION=1.1
export OS_PASSWORD=$(sudo hiera admin_password)
export OS_AUTH_URL=https://10.10.10.3:13000/v2.0
export OS_CACERT=/etc/pki/instack-certs/undercloud_chain.pem
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export COMPUTE_API_VERSION=1.1
export OS_NO_CACHE=True

As an example, sourcing that file and issuing a "keystone endpoint-list" ends in a SSL certificate validation error:

[stack@ospd ~]$ keystone endpoint-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Authorization Failed: SSL exception connecting to https://10.10.10.3:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And, after removing the OS_CACERT variable it works perfectly:

[stack@ospd ~]$ unset  OS_CACERT
[stack@ospd ~]$ keystone endpoint-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
+----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |           publicurl           |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+
| ff37770b0ca940bb8f43ff10cf7b23b6 | regionOne | https://10.10.10.3:13000/v2.0 | http://10.10.10.1:5000/v2.0 | http://10.10.10.1:35357/v2.0 | f3ad044115d84bc9b1d844284c65ce1d |
+----------------------------------+-----------+-------------------------------+-----------------------------+------------------------------+----------------------------------+
[stack@ospd ~]$
Comment 6 Mike Burns 2016-04-07 16:47:27 EDT
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 9 Ben Nemec 2016-09-02 15:34:53 EDT
Note that we're no longer using OS_CACERT in OSP 8+, so this is probably fixed.  I don't have a good way to test it though.
Comment 10 Marius Cornea 2016-09-13 15:59:28 EDT
I tested this on an OSP10 deployment and the undercloud installation completed ok. Here is the resulting stackrc file:

[stack@undercloud-0 ~]$ cat stackrc 
export NOVA_VERSION=1.1
export OS_PASSWORD=$(sudo hiera admin_password)
export OS_AUTH_URL=https://192.168.0.2:13000/v2.0
export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export COMPUTE_API_VERSION=1.1
export OS_BAREMETAL_API_VERSION=1.15
export OS_NO_CACHE=True
export OS_CLOUDNAME=undercloud
export OS_IMAGE_API_VERSION=1
Comment 11 Juan Antonio Osorio 2016-09-14 00:45:40 EDT
Marius, thanks for checking it out.

But yeah, as Marius confirmed, it seems to me that this issue has been addressed already then.
Comment 12 Nathan Kinder 2016-09-22 15:04:55 EDT
Closing this out as NEXTRELEASE since this has been confirmed to no longer be a problem in Newton/OSP10.
Comment 13 Juan Antonio Osorio 2016-09-23 01:13:28 EDT
Nathan, why NEXTRELEASE if the fix merged upstream and will be included in OSP10? That's what Marius confirmed; he tested out the patch fixing this.

Note You need to log in before you can comment on or make changes to this bug.