[Yahoo-eng-team] [Bug 1678686] Re: keystoneauth doesn't use a default cafile

Matt Riedemann Mon, 10 Apr 2017 07:12:52 -0700

** Changed in: nova
   Importance: Undecided => Wishlist

** Changed in: nova
       Status: New => Opinion


-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1678686

Title:
  keystoneauth doesn't use a default cafile

Status in keystoneauth:
  In Progress
Status in OpenStack Compute (nova):
  Opinion

Bug description:
  KeystoneAuth doens't use a default cafile, this causes problems when
  generating a local CA or self signed CA with HTTPS enabled endpoints.
  Even though the CA can be installed locally, keystone auth will still
  fail ssl verification.

  
  =================
  2017-04-03 00:54:49.305 545 DEBUG oslo_messaging._drivers.amqpdriver [-] 
received reply msg_id: bb9ce702f5864adf8e4720d2304fcb2a __call__ 
/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py:346
  2017-04-03 00:54:49.337 545 DEBUG cinderclient.v2.client 
[req-7cb00c0e-be3d-4e25-b369-fd8aecbae803 7106629bf3b440a79030d327abd0747e 
2aeed525cd4e4f329b0567be30d3aa6c - default default] REQ: curl -g -i -X GET 
https://openstack.local.net:8776/v2/2aeed525cd4e4f329b0567be30d3aa6c/volumes/ef828539-027c-4daa-9c96-19d2f3cd51e3
 -H "X-Service-Token: {SHA1}77aedd00ae7642ecf44c452749b8b3ed6f45330d" -H 
"User-Agent: python-cinderclient" -H "Accept: application/json" -H 
"X-Auth-Token: {SHA1}a91d7c21ef9f2401ffbe691355000e7bcc9d390c" 
_http_log_request /usr/lib/python2.7/site-packages/keystoneauth1/session.py:347
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions 
[req-7cb00c0e-be3d-4e25-b369-fd8aecbae803 7106629bf3b440a79030d327abd0747e 
2aeed525cd4e4f329b0567be30d3aa6c - default default] Unexpected exception in API 
method
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions Traceback 
(most recent call last):
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/api/openstack/extensions.py", line 338, 
in wrapped
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
f(*args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/api/validation/__init__.py", line 108, 
in wrapper
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
func(*args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/api/openstack/compute/volumes.py", line 
338, in create
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
volume_id, device)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 204, in inner
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
function(self, context, instance, *args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 152, in inner
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
f(self, context, instance, *args, **kw)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3772, in 
attach_volume
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     disk_bus, 
device_type)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3715, in 
_attach_volume
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
volume_bdm.destroy()
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
self.force_reraise()
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in 
force_reraise
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
six.reraise(self.type_, self.value, self.tb)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3711, in 
_attach_volume
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
self._check_attach_and_reserve_volume(context, volume_id, instance)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3693, in 
_check_attach_and_reserve_volume
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     volume = 
self.volume_api.get(context, volume_id)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 177, in wrapper
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
_reraise(exception.CinderConnectionFailed(reason=err_msg))
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 231, in _reraise
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     
six.reraise(type(desired_exc), desired_exc, sys.exc_info()[2])
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 173, in wrapper
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     res = 
method(self, ctx, *args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 195, in wrapper
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     res = 
method(self, ctx, volume_id, *args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 239, in get
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     item = 
cinderclient(context).volumes.get(volume_id)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/cinderclient/v2/volumes.py", line 277, in get
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
self._get("/volumes/%s" % volume_id, "volume")
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/cinderclient/base.py", line 314, in _get
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     resp, 
body = self.api.client.get(url)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/cinderclient/client.py", line 171, in get
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
self._cs_request(url, 'GET', **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/cinderclient/client.py", line 162, in 
_cs_request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
self.request(url, method, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/cinderclient/client.py", line 148, in request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 380, in 
request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     resp = 
super(LegacyJsonAdapter, self).request(*args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 148, in 
request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
self.session.request(url, method, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     return 
wrapped(*args, **kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 616, in 
request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     resp = 
send(**kwargs)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions   File 
"/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 678, in 
_send_request
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions     raise 
exceptions.SSLError(msg)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions 
CinderConnectionFailed: Connection to cinder host failed: SSL exception 
connecting to 
https://openstack.local.nunet.net:8776/v2/2aeed525cd4e4f329b0567be30d3aa6c/volumes/ef828539-027c-4daa-9c96-19d2f3cd51e3:
 ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 
'certificate verify failed')],)",)
  2017-04-03 00:54:49.442 545 ERROR nova.api.openstack.extensions

  ====================

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1678686/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1678686] Re: keystoneauth doesn't use a default cafile

Reply via email to