Bug 1469568 - python-glanceclient: The environment variable OS_CACERT isn't recognized by glance command.
python-glanceclient: The environment variable OS_CACERT isn't recognized by g...
Status: CLOSED WORKSFORME
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-glanceclient (Show other bugs)
12.0 (Pike)
Unspecified Unspecified
medium Severity medium
: rc
: 12.0 (Pike)
Assigned To: Pranali Deore
Mike Abrams
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 09:57 EDT by Alexander Chuzhoy
Modified: 2017-10-11 11:10 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-10-11 11:10:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Chuzhoy 2017-07-11 09:57:42 EDT
python-glanceclient: The environment variable OS_CACERT isn't recognized by glance command.


environment:
python-glanceclient-2.7.0-0.20170622095732.d67b33b.el7ost.noarch                                                                                                                   
openstack-glance-15.0.0-0.20170623215940.8188eca.el7ost.noarch                                                                                                                     
puppet-glance-11.2.0-0.20170626050749.da18fdb.el7ost.noarch                                                                                                                        
python-glance-store-0.20.1-0.20170621230105.a84fbc9.el7ost.noarch                                                                                                                 
python-glance-15.0.0-0.20170623215940.8188eca.el7ost.noarch      
instack-undercloud-7.1.1-0.20170623182135.el7ost.noarch

Steps to reproduce:
1. Deploy overcloud with SSL.
2. Try to run "glance  image-list" against overcloud.

Result:
(overcloud) [stack@undercloud-0 glanceclient]$ glance image-list
SSL exception connecting to https://192.168.24.8:13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)



workaround:
Run with --os-cacert <filename> , for example:

 glance --os-cacert /home/stack/cacert.pem image-list


to fix:
Need to add line:
parser.set_defaults(os_cacert=utils.env('OS_CACERT'))

In the top of _append_global_identity_args function in 
/usr/lib/python2.7/site-packages/glanceclient/shell.py file
Comment 2 Cyril Roelandt 2017-09-14 11:20:57 EDT
You're probably right:

$ git grep OS_CACERT glanceclient/
$

Pranali, can you take a look at this? The proposed fix seems good to me.
Comment 4 Alexander Chuzhoy 2017-10-10 17:59:10 EDT
Don't reproduce the issue. Feel free to close with worksforme.
Will re-open if reproduces.


(overcloud) [stack@undercloud-0 ~]$ grep https overcloudrc
export OS_AUTH_URL=https://10.0.0.101:13000/v2.0
(overcloud) [stack@undercloud-0 ~]$ source overcloudrc
(overcloud) [stack@undercloud-0 ~]$ glance image-list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 10.0.0.101 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 10.0.0.101 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+--------------------------------------+--------+
| ID                                   | Name   |
+--------------------------------------+--------+
| ae4f33b0-15ef-45f7-a42b-43c7beb51791 | cirros |
+--------------------------------------+--------+
Comment 5 Paul Grist 2017-10-11 11:10:26 EDT
Thanks for confirming, much appreciated.

Note You need to log in before you can comment on or make changes to this bug.