[Openstack-security] [Bug 1384626] [NEW] SSL certification verification failed when Heat calls Glanceclient using insecure=False

zhu zhu zhuzhubj at cn.ibm.com
Thu Oct 23 09:07:11 UTC 2014 

Public bug reported:

Glance server is configured Https.

Configured Heat with heat.conf 
[clients_glance]
ca_file=<ca file path>
insecure=<false>

When trying to create stack, heat will raise exception during heat to load image data.
[Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The root cause is that: ca_file as below is a wrong argument to
initialize the glance client,  it should be cacert which is supported
arguments by glanceclient.

class GlanceClientPlugin(client_plugin.ClientPlugin):

    exceptions_module = exc

    def _create(self):

        con = self.context
        endpoint_type = self._get_client_option('glance', 'endpoint_type')
        endpoint = self.url_for(service_type='image',
                                endpoint_type=endpoint_type)
        args = {
            'auth_url': con.auth_url,
            'service_type': 'image',
            'project_id': con.tenant,
            'token': self.auth_token,
            'endpoint_type': endpoint_type,
            'ca_file': self._get_client_option('glance', 'ca_file'),
            'cert_file': self._get_client_option('glance', 'cert_file'),
            'key_file': self._get_client_option('glance', 'key_file'),
            'insecure': self._get_client_option('glance', 'insecure')

** Affects: heat
     Importance: Undecided
         Status: New


** Tags: security

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1384626

Title:
  SSL certification verification failed when Heat calls Glanceclient
  using insecure=False

Status in Orchestration API (Heat):
  New

Bug description:
  Glance server is configured Https.

  Configured Heat with heat.conf 
  [clients_glance]
  ca_file=<ca file path>
  insecure=<false>

  When trying to create stack, heat will raise exception during heat to load image data.
  [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  The root cause is that: ca_file as below is a wrong argument to
  initialize the glance client,  it should be cacert which is supported
  arguments by glanceclient.

  class GlanceClientPlugin(client_plugin.ClientPlugin):

      exceptions_module = exc

      def _create(self):

          con = self.context
          endpoint_type = self._get_client_option('glance', 'endpoint_type')
          endpoint = self.url_for(service_type='image',
                                  endpoint_type=endpoint_type)
          args = {
              'auth_url': con.auth_url,
              'service_type': 'image',
              'project_id': con.tenant,
              'token': self.auth_token,
              'endpoint_type': endpoint_type,
              'ca_file': self._get_client_option('glance', 'ca_file'),
              'cert_file': self._get_client_option('glance', 'cert_file'),
              'key_file': self._get_client_option('glance', 'key_file'),
              'insecure': self._get_client_option('glance', 'insecure')

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1384626/+subscriptions

More information about the Openstack-security mailing list