[Openstack-security] [Bug 1384626] Re: SSL certification verification failed when Heat calls Glanceclient with ca cert

OpenStack Infra 1384626 at bugs.launchpad.net
Tue Oct 28 10:06:13 UTC 2014 

Reviewed:  https://review.openstack.org/130668
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=840ceddd873ad23cb9fdf171f2ea6574738ac8d3
Submitter: Jenkins
Branch:    stable/juno

commit 840ceddd873ad23cb9fdf171f2ea6574738ac8d3
Author: ZHU ZHU <zhuzhubj at cn.ibm.com>
Date:   Thu Oct 23 06:45:38 2014 -0500

    Correct CA cert argument for glanceclient
    
    Heat need to pass the CA cert to glanceclient to load image data
    during stack creation when glance api is configured with SSL.
    Currently the client is passing the wrong cert key to glanceclient.
    The key should be 'cacert' instead of 'ca_file'.
    
    Change-Id: Ie542dda1354776e62507240c917c1cffbc222f17
    Closes-Bug: #1384626
    (cherry picked from commit fa7fd9d9882baf028efe0807840a4a8180cc9b9c)


** Changed in: heat/juno
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1384626

Title:
  SSL certification verification failed when Heat calls Glanceclient
  with ca cert

Status in Orchestration API (Heat):
  Fix Committed
Status in heat juno series:
  Fix Committed

Bug description:
  Glance server is configured Https.

  Configured Heat with heat.conf 
  [clients_glance]
  ca_file=<ca file path>
  insecure=<false>

  When trying to create stack, heat will raise exception during heat to load image data.
  [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  The root cause is that: ca_file as below is a wrong argument to
  initialize the glance client,  it should be cacert which is supported
  arguments by glanceclient.

  class GlanceClientPlugin(client_plugin.ClientPlugin):

      exceptions_module = exc

      def _create(self):

          con = self.context
          endpoint_type = self._get_client_option('glance', 'endpoint_type')
          endpoint = self.url_for(service_type='image',
                                  endpoint_type=endpoint_type)
          args = {
              'auth_url': con.auth_url,
              'service_type': 'image',
              'project_id': con.tenant,
              'token': self.auth_token,
              'endpoint_type': endpoint_type,
              'ca_file': self._get_client_option('glance', 'ca_file'),
              'cert_file': self._get_client_option('glance', 'cert_file'),
              'key_file': self._get_client_option('glance', 'key_file'),
              'insecure': self._get_client_option('glance', 'insecure')

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1384626/+subscriptions

More information about the Openstack-security mailing list