<div dir="ltr">I am not sure but the warning message as depicted in your previous email's output says something related to SNIMissingWarning.<div><a href="https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning">https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning</a><br></div><div><br></div><div>It looks like you are using urllib3 version 1.13 or later and these things got added since this version. Maybe, try with a lower version or upgrade of packages as listed in that link?</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><b style="font-size:12.8000001907349px;color:rgb(136,136,136)"><font size="2">Rahul Sharma</font></b><br style="font-size:12.8000001907349px;color:rgb(136,136,136)"><font size="1" style="color:rgb(136,136,136)"><i>MS in Computer Science, 2016</i><br>College of Computer and Information Science, Northeastern University<br>Mobile: 801-706-7860<br>Email: <a href="mailto:rahulsharmaait@gmail.com" target="_blank">rahulsharmaait@gmail.com</a></font><br></div></div></div>
<br><div class="gmail_quote">On Tue, Mar 22, 2016 at 10:56 PM, Jagga Soorma <span dir="ltr"><<a href="mailto:jagga13@gmail.com" target="_blank">jagga13@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here is what I see:<br><br># python -mrequests.certs<br>/usr/lib/python2.7/site-packages/requests/cacert.pem<br><br>I do see GeoTrust certs in here:<br><br>--<br><font face="monospace, monospace"># grep -i geotrust cacert.pem | head -2<br># Issuer: CN=GeoTrust Global CA O=GeoTrust Inc.<br># Subject: CN=GeoTrust Global CA O=GeoTrust Inc.<br># grep -i geotrust cacert.pem | wc -l<br>21</font><br>--<br><br>Here is the requests.get output:<br><br>--<br><font face="monospace, monospace"><br># python<br>Python 2.7.5 (default, Jun 24 2015, 00:41:19) <br>[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2<span class=""><br>Type "help", "copyright", "credits" or "license" for more information.<br>>>> import requests<br>>>> requests.get("<a href="https://xxx.yyy.com:5000" target="_blank">https://xxx.yyy.com:5000</a>")<br></span>/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see <a href="https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning</a>.<br> SNIMissingWarning<br>/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see <a href="https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning</a>.<br> InsecurePlatformWarning<br>Traceback (most recent call last):<br> File "<stdin>", line 1, in <module><br> File "/usr/lib/python2.7/site-packages/requests/api.py", line 67, in get<br> return request('get', url, params=params, **kwargs)<br> File "/usr/lib/python2.7/site-packages/requests/api.py", line 53, in request<br> return session.request(method=method, url=url, **kwargs)<br> File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 468, in request<br> resp = self.send(prep, **send_kwargs)<br> File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send<br> r = adapter.send(request, **kwargs)<br> File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 447, in send<br> raise SSLError(e, request=request)<br>requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>>>></font><div>--</div><div><br></div><div>Looks like if the geotrust chain exists then it should not have a problem with our ssl cert. What am I missing here?</div><div><br></div><div>Thanks for your help with this!</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 22, 2016 at 6:14 PM, Rahul Sharma <span dir="ltr"><<a href="mailto:rahulsharmaait@gmail.com" target="_blank">rahulsharmaait@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Python's requests module is unable to verify the cert. To check the default location of trusted root ca used by requests module, run this command:<div><br></div><div>bash# python -mrequests.certs</div><div><br></div><div>It will give you some location in output. Dump the contents of <span style="font-size:12.8px">GeoTrust_</span><span style="font-size:12.8px">CA_Bundle.crt to the end of this file.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">To test if its working fine, use these steps:-</span></div><div><div>[bash]$ python</div><div>Python 2.7.5</div><div>Type "help", "copyright", "credits" or "license" for more information.<br></div><div>>>> import requests</div><div>>>> requests.get("<a href="https://xxx.yyy.com:5000" target="_blank">https://xxx.yyy.com:5000</a>")</div><div><Response [300]></div><div>>>> </div></div><div><br></div><div>Instead of response 300, if you are still getting error here, it means the cert is not correct or its unable to find the rootCA in the provided location.</div><div class="gmail_extra"><span><font color="#888888"><br clear="all"><div><div><div dir="ltr"><b style="font-size:12.8000001907349px;color:rgb(136,136,136)"><font size="2">Rahul Sharma</font></b><br style="font-size:12.8000001907349px;color:rgb(136,136,136)"><font size="1" style="color:rgb(136,136,136)"><i>MS in Computer Science, 2016</i><br>College of Computer and Information Science, Northeastern University<br>Mobile: <a href="tel:801-706-7860" value="+18017067860" target="_blank">801-706-7860</a><br>Email: <a href="mailto:rahulsharmaait@gmail.com" target="_blank">rahulsharmaait@gmail.com</a></font><br></div></div></div></font></span><div><div>
<br><div class="gmail_quote">On Tue, Mar 22, 2016 at 8:41 PM, Jagga Soorma <span dir="ltr"><<a href="mailto:jagga13@gmail.com" target="_blank">jagga13@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">However my mac os x desktop does that without any issues. I was able<br>
to get around this on my CentOS server by downloading the<br>
GeoTrust_CA_Bundle.crt locally and using "export<br>
OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt". However, I don't want to<br>
have all my users to have to do this. Is there a way around this on<br>
CentOS/Ubunut? I thought this would be part of the ssl chain included<br>
on these distributions.<br>
<br>
Thanks<br>
<div><div><br>
On Tue, Mar 22, 2016 at 5:38 PM, CHOW Anthony<br>
<<a href="mailto:anthony.chow@al-enterprise.com" target="_blank">anthony.chow@al-enterprise.com</a>> wrote:<br>
> It seems like your CentOS 7 server is not able to verify the KeyStone server's certificate.<br>
><br>
> [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>
><br>
> Interesting issue.<br>
><br>
> Anthony.<br>
> -----Original Message-----<br>
> From: Jagga Soorma [mailto:<a href="mailto:jagga13@gmail.com" target="_blank">jagga13@gmail.com</a>]<br>
> Sent: Tuesday, March 22, 2016 5:18 PM<br>
> To: openstack<br>
> Subject: [Openstack] SSL cert issue on openstack client<br>
><br>
> Hi Guys,<br>
><br>
> I am new to openstack and currently have a openstack environment that seems to have ssl enabled. From my mac I am able to use the openstack api without any issues and without having to do anything for ssl.<br>
> However, from my CentOS 7.1 server I get the following error message:<br>
><br>
> --<br>
> bash-4.2$ openstack image list<br>
> Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.<br>
> SSL exception connecting to <a href="https://xxx.yyy.com:5000/v3/auth/tokens" rel="noreferrer" target="_blank">https://xxx.yyy.com:5000/v3/auth/tokens</a>:<br>
> [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>
> --<br>
><br>
> I do seem to have the ca certificates installed:<br>
><br>
> --<br>
> $ rpm -qa | grep -i ca-cert<br>
> ca-certificates-2015.2.4-70.0.el7_1.noarch<br>
> --<br>
><br>
> Is there something extra that I need to do in order to get the openstack api working on CentOS?<br>
><br>
> Not having much luck with this. Any help would be appreciated.<br>
><br>
> Thanks!<br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>