Open Stack

I think with OS_CACERT you are telling your CentOS 7 server to validate the server certificate at /var/tmp/GeoTrust_CA_Bundle.crt instead of the validation information that is embedded in the server certificate such as CRL and OCSP URL.

Hope someone will have an answer for this problem.  I am curious to know what the root cause of this problem is.  :)

As for why MAC OS X works, it could be they do not follow the rules.  I know some web browsers does not check the server certificate according to the SSLv3/TLS spec.

Cheers,

Anthony.
-----Original Message-----
From: Jagga Soorma [mailto:jagga13 at gmail.com] 
Sent: Tuesday, March 22, 2016 5:42 PM
To: CHOW Anthony
Cc: openstack
Subject: Re: [Openstack] SSL cert issue on openstack client

However my mac os x desktop does that without any issues.  I was able to get around this on my CentOS server by downloading the GeoTrust_CA_Bundle.crt locally and using "export OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt".  However, I don't want to have all my users to have to do this.  Is there a way around this on CentOS/Ubunut?  I thought this would be part of the ssl chain included on these distributions.

Thanks

On Tue, Mar 22, 2016 at 5:38 PM, CHOW Anthony <anthony.chow at al-enterprise.com> wrote:
> It seems like your CentOS 7 server is not able to verify the KeyStone server's certificate.
>
>         [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate       verify failed
>
> Interesting issue.
>
> Anthony.
> -----Original Message-----
> From: Jagga Soorma [mailto:jagga13 at gmail.com]
> Sent: Tuesday, March 22, 2016 5:18 PM
> To: openstack
> Subject: [Openstack] SSL cert issue on openstack client
>
> Hi Guys,
>
> I am new to openstack and currently have a openstack environment that seems to have ssl enabled.  From my mac I am able to use the openstack api without any issues and without having to do anything for ssl.
> However, from my CentOS 7.1 server I get the following error message:
>
> --
> bash-4.2$ openstack image list
> Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
> SSL exception connecting to https://xxx.yyy.com:5000/v3/auth/tokens:
> [Errno 1] _ssl.c:504: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> --
>
> I do seem to have the ca certificates installed:
>
> --
> $ rpm -qa | grep -i ca-cert
> ca-certificates-2015.2.4-70.0.el7_1.noarch
> --
>
> Is there something extra that I need to do in order to get the openstack api working on CentOS?
>
> Not having much luck with this.  Any help would be appreciated.
>
> Thanks!
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack