[Openstack] SSL cert issue on openstack client
Rob Crittenden
rcritten at redhat.com
Wed Mar 23 15:05:08 UTC 2016
Erik McCormick wrote:
> You may want to try updating the system CA certs. Download both the
> root and current intermediate certificate from Geotrust and copy them
> to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust. I had
> some issues with newer GoDaddy certificates and this fixed me up.
> You'd need to do this on any node accessing the APIs.
The output from python -mrequests.certs shows that it isn't using the
system CA store but one provided by python-requests. I wonder where
python-requests came from. Is it the one provided by CentOS or (more
likely) by pip?
rob
>
> -Erik
>
> On Wed, Mar 23, 2016 at 7:20 AM, Dean Troyer <dtroyer at gmail.com> wrote:
>> On Tue, Mar 22, 2016 at 7:41 PM, Jagga Soorma <jagga13 at gmail.com> wrote:
>>>
>>> However my mac os x desktop does that without any issues. I was able
>>> to get around this on my CentOS server by downloading the
>>> GeoTrust_CA_Bundle.crt locally and using "export
>>> OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt". However, I don't want to
>>> have all my users to have to do this. Is there a way around this on
>>> CentOS/Ubunut? I thought this would be part of the ssl chain included
>>> on these distributions.
>>
>>
>> There are a couple of possibilities to explain the different behaviour, but
>> some additional information is required to pinpoint the issue. How was OSC
>> installed on the CentOS systems? (I presume that it was installed via pip
>> on OS/X.)
>>
>> Some (if not all) packagers unbundle the urllib3 module that is included in
>> the requests PyPI package. requests also includes its own CA bundle and
>> this is also changed to use the system CA bundle/certs by some packagers.
>>
>> dt
>>
>> --
>>
>> Dean Troyer
>> dtroyer at gmail.com
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
More information about the Openstack
mailing list