[openstack-dev] [Openstack] generation of .pem file

Juan Antonio Osorio jaosorior at gmail.com
Thu Nov 9 13:37:49 UTC 2017


On Thu, Nov 9, 2017 at 3:27 PM, David Gabriel <davidgab283 at gmail.com> wrote:

> My objective is to create a stack using Heat.
> Initially, my code worked properly with http access but when our Openstack
> is updated the access is becoming via https so I got the errors I sent in
> the previous email.
> So I think I need to *authenticate *using the .pem certificate.
> But, I don't know where exactely (which location) I put the .pem file in
> order to be visible to the heatclient (or keystone) and how shall I update
> my code ?
>

I really suggest you ask your administrator what you should be doing.
Having TLS on the endpoint doesn't necessarily mean that you need to
authenticate. It could mean that all you need to do is trust the CA that
issued the certificate that Heat (or the load balancer) is serving publicly.



> I am confusing a little bit!
> Thanks in advance.
> Best regards.
>
> 2017-11-09 9:05 GMT+01:00 Juan Antonio Osorio <jaosorior at gmail.com>:
>
>> Alright,
>>
>> So, first question. What do you actually want to do? Do you need to
>> authenticate with the heat endpoint with TLS (using client certificates) ?
>> Or, do you want to merely use TLS to communicate with Heat and you're
>> getting this verification issue?
>>
>> On Wed, Nov 8, 2017 at 10:48 PM, David Gabriel <davidgab283 at gmail.com>
>> wrote:
>>
>>> I forget to send the errors I got:
>>>
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/stacks.py", line
>>> 109, in create
>>>     data=kwargs, headers=headers)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 223, in json_request
>>>     resp = self._http_request(url, method, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 166, in _http_request
>>>     **kwargs)
>>>   File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line
>>> 53, in request
>>>     return session.request(method=method, url=url, **kwargs)
>>>   File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
>>> line 468, in request
>>>     resp = self.send(prep, **send_kwargs)
>>>   File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
>>> line 576, in send
>>>     r = adapter.send(request, **kwargs)
>>>   File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
>>> line 447, in send
>>>     raise SSLError(e, request=request)
>>> SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> 127.0.0.1 - - [08/Nov/2017 20:34:56] "POST /stack_create HTTP/1.1" 500
>>> 2801
>>>
>>>
>>> 2017-11-08 21:43 GMT+01:00 David Gabriel <davidgab283 at gmail.com>:
>>>
>>>> Dear Juan,
>>>>
>>>> Thanks so much for your reply.
>>>> I fact, the command you suggest leads to the structure of a .pem file
>>>> like it is shown in the reference you provide.
>>>>
>>>> Let me please ask another question related to the new pem file.
>>>> In fact, I want to use use it in to call python-heatclient API in order
>>>> to create stacks (Openstack address is based on https).
>>>> I am wondering, where to copy this pem file and how to refer it ?
>>>>
>>>> Thanks in advance.
>>>> Best regards.
>>>>
>>>>
>>>>
>>>> 2017-11-08 15:39 GMT+01:00 Juan Antonio Osorio <jaosorior at gmail.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> You need to verify the files and check how they look like. A good
>>>>> guide to do this is this one http://how2ssl.com/articles/wo
>>>>> rking_with_pem_files/ .
>>>>> .cert and .key are not actual formats, but might actually contain the
>>>>> cert and the key in PEM format. The main giveaway is that they should
>>>>> contain the header. If you will use the file for HAProxy, then you need the
>>>>> certificate and key in the same file. So you would do something like this:
>>>>>
>>>>>     $ cat mycertificate.cert  mykey.key > cert-and-key.pem
>>>>>
>>>>> And the resulting file is something you could use for your HAProxy
>>>>> instance. But again, it all depends on what you will use it for.
>>>>>
>>>>> On Wed, Nov 8, 2017 at 3:36 PM, David Gabriel <davidgab283 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Dears,
>>>>>>
>>>>>> I need to generate the .pem file based on certifcate files (.cert).
>>>>>> The key (.key file) is available too.
>>>>>> All my files can be read as text files.
>>>>>> Could you please detail the procedure for this ?
>>>>>> I am using ubuntu as OS.
>>>>>>
>>>>>> Thanks in advance.
>>>>>> Best regards.
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> ______________
>>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>>> Unsubscribe: OpenStack-dev-request at lists.op
>>>>>> enstack.org?subject:unsubscribe
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Juan Antonio Osorio R.
>>>>> e-mail: jaosorior at gmail.com
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: http://lists.openstack.org/cgi
>>>>> -bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org
>>>>> Unsubscribe : http://lists.openstack.org/cgi
>>>>> -bin/mailman/listinfo/openstack
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Juan Antonio Osorio R.
>> e-mail: jaosorior at gmail.com
>>
>>
>


-- 
Juan Antonio Osorio R.
e-mail: jaosorior at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171109/7b9990b8/attachment.html>


More information about the OpenStack-dev mailing list