Open Stack

I am not sure but the warning message as depicted in your previous email's
output says something related to SNIMissingWarning.
https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning

It looks like you are using urllib3 version 1.13 or later and these things
got added since this version. Maybe, try with a lower version or upgrade of
packages as listed in that link?

*Rahul Sharma*
*MS in Computer Science, 2016*
College of Computer and Information Science, Northeastern University
Mobile:  801-706-7860
Email: rahulsharmaait at gmail.com

On Tue, Mar 22, 2016 at 10:56 PM, Jagga Soorma <jagga13 at gmail.com> wrote:

> Here is what I see:
>
> # python -mrequests.certs
> /usr/lib/python2.7/site-packages/requests/cacert.pem
>
> I do see GeoTrust certs in here:
>
> --
> # grep -i geotrust cacert.pem | head -2
> # Issuer: CN=GeoTrust Global CA O=GeoTrust Inc.
> # Subject: CN=GeoTrust Global CA O=GeoTrust Inc.
> # grep -i geotrust cacert.pem | wc -l
> 21
> --
>
> Here is the requests.get output:
>
> --
>
> # python
> Python 2.7.5 (default, Jun 24 2015, 00:41:19)
> [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import requests
> >>> requests.get("https://xxx.yyy.com:5000")
> /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315:
> SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject
> Name Indication) extension to TLS is not available on this platform. This
> may cause the server to present an incorrect TLS certificate, which can
> cause validation failures. For more information, see
> https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
>   SNIMissingWarning
> /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120:
> InsecurePlatformWarning: A true SSLContext object is not available. This
> prevents urllib3 from configuring SSL appropriately and may cause certain
> SSL connections to fail. For more information, see
> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
> .
>   InsecurePlatformWarning
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File "/usr/lib/python2.7/site-packages/requests/api.py", line 67, in get
>     return request('get', url, params=params, **kwargs)
>   File "/usr/lib/python2.7/site-packages/requests/api.py", line 53, in
> request
>     return session.request(method=method, url=url, **kwargs)
>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 468,
> in request
>     resp = self.send(prep, **send_kwargs)
>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576,
> in send
>     r = adapter.send(request, **kwargs)
>   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 447,
> in send
>     raise SSLError(e, request=request)
> requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >>>
> --
>
> Looks like if the geotrust chain exists then it should not have a problem
> with our ssl cert.  What am I missing here?
>
> Thanks for your help with this!
>
> On Tue, Mar 22, 2016 at 6:14 PM, Rahul Sharma <rahulsharmaait at gmail.com>
> wrote:
>
>> Python's requests module is unable to verify the cert. To check the
>> default location of trusted root ca used by requests module, run this
>> command:
>>
>> bash# python -mrequests.certs
>>
>> It will give you some location in output. Dump the contents of GeoTrust_CA_Bundle.crt
>> to the end of this file.
>>
>> To test if its working fine, use these steps:-
>> [bash]$ python
>> Python 2.7.5
>> Type "help", "copyright", "credits" or "license" for more information.
>> >>> import requests
>> >>> requests.get("https://xxx.yyy.com:5000")
>> <Response [300]>
>> >>>
>>
>> Instead of response 300, if you are still getting error here, it means
>> the cert is not correct or its unable to find the rootCA in the provided
>> location.
>>
>> *Rahul Sharma*
>> *MS in Computer Science, 2016*
>> College of Computer and Information Science, Northeastern University
>> Mobile:  801-706-7860
>> Email: rahulsharmaait at gmail.com
>>
>> On Tue, Mar 22, 2016 at 8:41 PM, Jagga Soorma <jagga13 at gmail.com> wrote:
>>
>>> However my mac os x desktop does that without any issues.  I was able
>>> to get around this on my CentOS server by downloading the
>>> GeoTrust_CA_Bundle.crt locally and using "export
>>> OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt".  However, I don't want to
>>> have all my users to have to do this.  Is there a way around this on
>>> CentOS/Ubunut?  I thought this would be part of the ssl chain included
>>> on these distributions.
>>>
>>> Thanks
>>>
>>> On Tue, Mar 22, 2016 at 5:38 PM, CHOW Anthony
>>> <anthony.chow at al-enterprise.com> wrote:
>>> > It seems like your CentOS 7 server is not able to verify the KeyStone
>>> server's certificate.
>>> >
>>> >         [Errno 1] _ssl.c:504: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate       verify failed
>>> >
>>> > Interesting issue.
>>> >
>>> > Anthony.
>>> > -----Original Message-----
>>> > From: Jagga Soorma [mailto:jagga13 at gmail.com]
>>> > Sent: Tuesday, March 22, 2016 5:18 PM
>>> > To: openstack
>>> > Subject: [Openstack] SSL cert issue on openstack client
>>> >
>>> > Hi Guys,
>>> >
>>> > I am new to openstack and currently have a openstack environment that
>>> seems to have ssl enabled.  From my mac I am able to use the openstack api
>>> without any issues and without having to do anything for ssl.
>>> > However, from my CentOS 7.1 server I get the following error message:
>>> >
>>> > --
>>> > bash-4.2$ openstack image list
>>> > Discovering versions from the identity service failed when creating
>>> the password plugin. Attempting to determine version from URL.
>>> > SSL exception connecting to https://xxx.yyy.com:5000/v3/auth/tokens:
>>> > [Errno 1] _ssl.c:504: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > --
>>> >
>>> > I do seem to have the ca certificates installed:
>>> >
>>> > --
>>> > $ rpm -qa | grep -i ca-cert
>>> > ca-certificates-2015.2.4-70.0.el7_1.noarch
>>> > --
>>> >
>>> > Is there something extra that I need to do in order to get the
>>> openstack api working on CentOS?
>>> >
>>> > Not having much luck with this.  Any help would be appreciated.
>>> >
>>> > Thanks!
>>> >
>>> > _______________________________________________
>>> > Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> > Post to     : openstack at lists.openstack.org
>>> > Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160322/87a4e31e/attachment.html>