What is the correct behavior of OS_CACERT in python clients?

asked 2014-02-04 14:52:40 -0600

electrocucaracha gravatar image

updated 2014-02-06 17:40:31 -0600

smaffulli gravatar image

I've a doubt is this could be bug, but after comparing nova and glance clients, I see some inconsistencies.

If I have unset the OS_CACERT variable and I run the follows 

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova image-list
ERROR: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova --insecure image-list
+--------------------------------------+--------------------------+--------+--------+
| ID                                   | Name                     | Status | Server |
+--------------------------------------+--------------------------+--------+--------+
...

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova image-list
ERROR: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova --insecure image-list
+--------------------------------------+--------------------------+--------+--------+
| ID                                   | Name                     | Status | Server |
+--------------------------------------+--------------------------+--------+--------+
...

At this point everything seems right, but once that I set OS_CACERT variable, its behavior changes

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova image-list
+--------------------------------------+--------------------------+--------+--------+
| ID                                   | Name                     | Status | Server |
+--------------------------------------+--------------------------+--------+--------+
...

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ nova --insecure image-list
+--------------------------------------+--------------------------+--------+--------+
| ID                                   | Name                     | Status | Server |
+--------------------------------------+--------------------------+--------+--------+
...

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ glance image-list
Host "xxx.xxx.xxx" does not match x509 certificate contents: CommonName "xxx.xxx.xxx", subjectAltName "DNS:xxx.xxx.xxx, IP Address:127.0.0.1"

(.venv)vjmorale@gmw-vjmorale:~/openstack-src$ glance --insecure image-list
+--------------------------------------+--------------------------+-------------+------------------+--------------+--------+
| ID                                   | Name                     | Disk Format | Container Format | Size         | Status |
+--------------------------------------+--------------------------+-------------+------------------+--------------+--------+
...

Is there a problem with my certificate? or there is a bug in one of the clients?

edit retag flag offensive close merge delete
add a comment