Ok. Makes sense. Indeed, I was wrong about Horizon depending directly on httplib2.

Horizon is the only project in an entire SSL enabled Openstack system (Nova excepted, it's still running over http) that complained about SSL connections not having a trusted CA root for connections it makes to other services. If it's a Keystone problem, then it certainly is a bug that should be filed there. But if it's a problem with how Horizon is using the middleware, then it would make sense to address it here. Thanks.

Without modifying the Horizon source, I came up with a workaround. Django and Horizon depend upon httplib2, which includes a list of recognized certificates. I added our local root certificate to that file, and the connection is working as expected. However, this is an unsatisfactory solution, and it seems there should be a way to add trusted CAs at a configuration level.

Since I'm very new to the OpenStack development community, I want to be clear that I'm very impressed by the development effort here.

SSL key management has been a very confusing experience on the whole. It would be nice to have a clear way to set up a root CA that all components of the software stack can be set to trust, then distribute signed keys to the components so that all of the traffic can be encrypted. Since most of the software is communicating largely over private networks I can see why simplicity in trust was traded over setting up the trust chain correctly, but I agree with you completely that it's a shortcoming rather than a feature.