[openstack-dev] [All] Use of self signed certs in endpoints

Xav Paice xavpaice at gmail.com
Sat Nov 14 08:09:45 UTC 2015


Hi,

I'm sure I'm not the only one that likes to use SSL everywhere possible,
and doesn't like to pay for 'real' ssl certs for dev environments.
Figuring out how to get requests to allow connection to the self signed
cert would have paid for a real cert many times over.

When I use an SSL cert with a CA not in the Mozilla bundle, and use
keystonemiddleware to access Keystone endpoints, the ssl verification
rightly fails.  It turns out requests doesn't use the system ca cert
bundle, but has it's own.  It's also got a nice easy config option to set
which ca cert bundle you want to use -
http://docs.python-requests.org/en/latest/user/advanced/?highlight=ca_bundle#ssl-cert-verification

How do people feel about having that as a config option set somewhere, so
we can specify a ca cert in, say, heat.conf, so that we can continue with
the self signed certs of cheapness without needing to hack up the
cacert.pem that comes with requests, or find a way to pass in environment
variables?

Am I barking up the wrong tree here?  How would I go about writing a
blueprint for this, and for which project?  I guess it's something that
would need to be added to all the projects in the keystone_authtoken
section?  Or is there a central place where common configs like this can
live?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151114/c7ce6456/attachment.html>


More information about the OpenStack-dev mailing list