senlin client does not appear to respect OS_CACERT env var
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
senlin |
Triaged
|
High
|
Jie Li |
Bug Description
I have an SSL-encrypted keystone api endpoint. (In fact, I run all OpenStack services with end-to-end SSL encryption -- there are no proxies or SSL termination.) I use a self-signed SSL cert, which should be no problem as long as I supply my public CA certificate as part of the OS_CACERT environment variable in my keystonerc/openrc file, and also specify it in all the [keystone_
In CentOS 7, '/etc/pki/
# ls -la /etc/pki/
lrwxrwxrwx. 1 root root 49 Jan 12 16:59 /etc/pki/
I find that the senlinclient requires my CA cert to be appended to this file, or else senlinclient does not work, regardless of the OS_CACERT env variable. I'll do my best to demonstrate.
# ls -latr tls-ca-bundle.pem*
-r--r--r--. 1 root root 260022 Jan 18 00:40 tls-ca-
-r--r--r--. 1 root root 258090 Jan 18 11:23 tls-ca-bundle.pem
'tls-ca-
I'll now source my keystonerc file and try to run a basic senlin command:
[root@localhost pem]# . /root/keystoner
[root@localhost pem]# printenv |grep OS_CACERT
OS_CACERT=
[root@localhost pem]# openstack --debug cluster list
See full output: https:/
Okay, now I'll change tls-ca-bundle.pem to the version containing my SSL CA cert:
[root@localhost pem]# cp -p tls-ca-bundle.pem tls-ca-
[root@localhost pem]# ln -s --force tls-ca-
[root@localhost pem]# ls -la tls-ca-bundle.pem*
lrwxrwxrwx. 1 root root 23 Jan 18 11:33 tls-ca-bundle.pem -> tls-ca-
-r--r--r--. 1 root root 258090 Jan 18 11:23 tls-ca-
-r--r--r--. 1 root root 260022 Jan 18 00:40 tls-ca-
[root@localhost pem]#
Now I'll rerun the same command:
# openstack --debug cluster list
See full output: https:/
You'll note that, this time, the client doesn't fail -- it gets a token. However, the command still fails because Senlin API has the same problem, and can't talk to SSL either.
In general, there is some similar issue with the way Senlin is handling SSL CA certs. I've found a work-around for the client, but it's still a bug. I have not yet found a work-around for the API
Changed in senlin: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in senlin: | |
assignee: | nobody → Jie Li (ramboman) |
Fix proposed to branch: master /review. opendev. org/728004
Review: https:/