Re: [Openstack] SSL cert issue on openstack client

Wed, 23 Mar 2016 08:28:06 -0700 

Erik McCormick wrote:

You may want to try updating the system CA certs.  Download both the
root and current intermediate certificate from Geotrust and copy them
to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust. I had
some issues with newer GoDaddy certificates and this fixed me up.
You'd need to do this on any node accessing the APIs.



The output from python -mrequests.certs shows that it isn't using the 
system CA store but one provided by python-requests. I wonder where 
python-requests came from. Is it the one provided by CentOS or (more 
likely) by pip?


rob



-Erik

On Wed, Mar 23, 2016 at 7:20 AM, Dean Troyer <dtro...@gmail.com> wrote:

On Tue, Mar 22, 2016 at 7:41 PM, Jagga Soorma <jagg...@gmail.com> wrote:


However my mac os x desktop does that without any issues.  I was able
to get around this on my CentOS server by downloading the
GeoTrust_CA_Bundle.crt locally and using "export
OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt".  However, I don't want to
have all my users to have to do this.  Is there a way around this on
CentOS/Ubunut?  I thought this would be part of the ssl chain included
on these distributions.



There are a couple of possibilities to explain the different behaviour, but
some additional information is required to pinpoint the issue.  How was OSC
installed on the CentOS systems?  (I presume that it was installed via pip
on OS/X.)

Some (if not all) packagers unbundle the urllib3 module that is included in
the requests PyPI package.  requests also includes its own CA bundle and
this is also changed to use the system CA bundle/certs by some packagers.

dt

--

Dean Troyer
dtro...@gmail.com

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to