[Openstack] SSL cert issue on openstack client

Jagga Soorma jagga13 at gmail.com
Wed Mar 23 02:56:10 UTC 2016 

Here is what I see:

# python -mrequests.certs
/usr/lib/python2.7/site-packages/requests/cacert.pem

I do see GeoTrust certs in here:

--
# grep -i geotrust cacert.pem | head -2
# Issuer: CN=GeoTrust Global CA O=GeoTrust Inc.
# Subject: CN=GeoTrust Global CA O=GeoTrust Inc.
# grep -i geotrust cacert.pem | wc -l
21
--

Here is the requests.get output:

--

# python
Python 2.7.5 (default, Jun 24 2015, 00:41:19)
[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://xxx.yyy.com:5000")
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315:
SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject
Name Indication) extension to TLS is not available on this platform. This
may cause the server to present an incorrect TLS certificate, which can
cause validation failures. For more information, see
https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120:
InsecurePlatformWarning: A true SSLContext object is not available. This
prevents urllib3 from configuring SSL appropriately and may cause certain
SSL connections to fail. For more information, see
https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 53, in
request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 468,
in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576,
in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 447,
in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>
--

Looks like if the geotrust chain exists then it should not have a problem
with our ssl cert.  What am I missing here?

Thanks for your help with this!

On Tue, Mar 22, 2016 at 6:14 PM, Rahul Sharma <rahulsharmaait at gmail.com>
wrote:

> Python's requests module is unable to verify the cert. To check the
> default location of trusted root ca used by requests module, run this
> command:
>
> bash# python -mrequests.certs
>
> It will give you some location in output. Dump the contents of GeoTrust_CA_Bundle.crt
> to the end of this file.
>
> To test if its working fine, use these steps:-
> [bash]$ python
> Python 2.7.5
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import requests
> >>> requests.get("https://xxx.yyy.com:5000")
> <Response [300]>
> >>>
>
> Instead of response 300, if you are still getting error here, it means the
> cert is not correct or its unable to find the rootCA in the provided
> location.
>
> *Rahul Sharma*
> *MS in Computer Science, 2016*
> College of Computer and Information Science, Northeastern University
> Mobile:  801-706-7860
> Email: rahulsharmaait at gmail.com
>
> On Tue, Mar 22, 2016 at 8:41 PM, Jagga Soorma <jagga13 at gmail.com> wrote:
>
>> However my mac os x desktop does that without any issues.  I was able
>> to get around this on my CentOS server by downloading the
>> GeoTrust_CA_Bundle.crt locally and using "export
>> OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt".  However, I don't want to
>> have all my users to have to do this.  Is there a way around this on
>> CentOS/Ubunut?  I thought this would be part of the ssl chain included
>> on these distributions.
>>
>> Thanks
>>
>> On Tue, Mar 22, 2016 at 5:38 PM, CHOW Anthony
>> <anthony.chow at al-enterprise.com> wrote:
>> > It seems like your CentOS 7 server is not able to verify the KeyStone
>> server's certificate.
>> >
>> >         [Errno 1] _ssl.c:504: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate       verify failed
>> >
>> > Interesting issue.
>> >
>> > Anthony.
>> > -----Original Message-----
>> > From: Jagga Soorma [mailto:jagga13 at gmail.com]
>> > Sent: Tuesday, March 22, 2016 5:18 PM
>> > To: openstack
>> > Subject: [Openstack] SSL cert issue on openstack client
>> >
>> > Hi Guys,
>> >
>> > I am new to openstack and currently have a openstack environment that
>> seems to have ssl enabled.  From my mac I am able to use the openstack api
>> without any issues and without having to do anything for ssl.
>> > However, from my CentOS 7.1 server I get the following error message:
>> >
>> > --
>> > bash-4.2$ openstack image list
>> > Discovering versions from the identity service failed when creating the
>> password plugin. Attempting to determine version from URL.
>> > SSL exception connecting to https://xxx.yyy.com:5000/v3/auth/tokens:
>> > [Errno 1] _ssl.c:504: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> > --
>> >
>> > I do seem to have the ca certificates installed:
>> >
>> > --
>> > $ rpm -qa | grep -i ca-cert
>> > ca-certificates-2015.2.4-70.0.el7_1.noarch
>> > --
>> >
>> > Is there something extra that I need to do in order to get the
>> openstack api working on CentOS?
>> >
>> > Not having much luck with this.  Any help would be appreciated.
>> >
>> > Thanks!
>> >
>> > _______________________________________________
>> > Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> > Post to     : openstack at lists.openstack.org
>> > Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160322/c68af1aa/attachment.html>

More information about the Openstack mailing list