<div>This may have landed relatively recently, but:</div><div><br></div>$ keystone help<div>[...]</div><div>Optional arguments:<br></div><div> [...]<br></div><div><div> --insecure Explicitly allow keystoneclient to perform "insecure"</div>
<div> SSL (https) requests. The server's certificate will</div><div> not be verified against any certificate authorities.</div><div> This option should be used with caution.</div>
</div><div class="gmail_extra"><br clear="all"><div><br></div>-Dolph<br>
<br><br><div class="gmail_quote">On Tue, Nov 27, 2012 at 10:14 AM, Brian Waldon <span dir="ltr"><<a href="mailto:bcwaldon@gmail.com" target="_blank">bcwaldon@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
On Nov 27, 2012, at 9:59 AM, Jay Pipes wrote:<br>
<br>
> jp833r@c2r1:~$ keystone endpoint-list<br>
> No handlers could be found for logger "keystoneclient.client"<br>
> Authorization Failed: Unable to communicate with identity service:<br>
> [Errno 1] _ssl.c:504: error:14090086:SSL<br>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. (HTTP 400)<br>
> jp833r@c2r1:~$ keystone --insecure endpoint-list<br>
> usage: keystone [--os_username <auth-user-name>]<br>
> <snip><br>
> <subcommand> ...<br>
> keystone: error: unrecognized arguments: --insecure<br>
><br>
> Whereas nova has the --insecure option, but doesn't have such a nice<br>
> error message indicating that certificate verify failed :)<br>
><br>
> jp833r@c2r1:~$ nova list<br>
> ERROR: n/a (HTTP 400)<br>
> jp833r@c2r1:~$ nova --insecure list<br>
> +----+------+--------+----------+<br>
> | ID | Name | Status | Networks |<br>
> +----+------+--------+----------+<br>
> +----+------+--------+----------+<br>
><br>
> Thoughts? I think it would be great to get:<br>
><br>
> 1) Some consistency between the two tools regarding how they indicate<br>
> that cert verification failed<br>
<br>
</div>Yes, Dean Troyer has spent a lot of time and effort triaging the state of SSL support across the clients. I think he could offer some insight as to his plans there.<br>
<div class="im"><br>
> 2) An --insecure option consistent in all clients for use in<br>
> test/non-prod environments that have self-signed certs<br>
<br>
</div>Yes, definitely agree. We need to standardize on several SSL-related options like --insecure.<br>
<div class="im"><br>
> 3) The ability for all CLI tools to support a --version option (or<br>
> version command)<br>
<br>
</div>Yep, just added this to python-glanceclient (borrowed from python-novaclient). To be clear, this should represent the client library version, not the REST API version that the client is yelling at.</blockquote><div>
+1 </div></div><br></div>