Ask Your Question

How to connect Horizon to Keystone installation with self-signed SSL

asked 2012-02-15 00:05:09 -0600

hoge gravatar image

I'm setting up an Openstack Essex deployment, with Keystone running over SSL. I've set up a CA for our organization and am using self-signed keys. It looks like Horizon is rejecting the keys at the SSL library layer with the response "Error: Unable to communicate with identity service: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. (HTTP 400)".

Is it possible to configure Horizon to either be permissive in SSL connections, or to make it recognize our CA as valid? If so, how?

edit retag flag offensive close merge delete

7 answers

Sort by ยป oldest newest most voted

answered 2012-02-15 19:58:43 -0600

Django doesn't depend on httplib2. Horizon only seems to import httplib2 in the test suite.

I think what you mean to say is that python-keystoneclient depends on httplib2. You probably want to open a bug with that project if you're unhappy with how it works.

edit flag offensive delete link more

answered 2012-02-15 23:17:20 -0600

Though if there isn't an open bug or blueprint for doing SSL key management in Horizon, there should be one.

edit flag offensive delete link more

answered 2012-02-15 23:34:11 -0600

hoge gravatar image

Ok. Makes sense. Indeed, I was wrong about Horizon depending directly on httplib2.

Horizon is the only project in an entire SSL enabled Openstack system (Nova excepted, it's still running over http) that complained about SSL connections not having a trusted CA root for connections it makes to other services. If it's a Keystone problem, then it certainly is a bug that should be filed there. But if it's a problem with how Horizon is using the middleware, then it would make sense to address it here. Thanks.

edit flag offensive delete link more

answered 2012-02-15 16:46:57 -0600

hoge gravatar image

Without modifying the Horizon source, I came up with a workaround. Django and Horizon depend upon httplib2, which includes a list of recognized certificates. I added our local root certificate to that file, and the connection is working as expected. However, this is an unsatisfactory solution, and it seems there should be a way to add trusted CAs at a configuration level.

edit flag offensive delete link more

answered 2012-02-16 16:49:42 -0600

hoge gravatar image

Since I'm very new to the OpenStack development community, I want to be clear that I'm very impressed by the development effort here.

SSL key management has been a very confusing experience on the whole. It would be nice to have a clear way to set up a root CA that all components of the software stack can be set to trust, then distribute signed keys to the components so that all of the traffic can be encrypted. Since most of the software is communicating largely over private networks I can see why simplicity in trust was traded over setting up the trust chain correctly, but I agree with you completely that it's a shortcoming rather than a feature.

edit flag offensive delete link more

answered 2012-06-23 00:56:48 -0600

lin-hua-cheng gravatar image

Instead of directly updating the trust store in the httplib2 library, you can set the trust store in settings file.

Here is what I did on my setup.


import httplib2 httplib2.CA_CERTS = <path to="" the="" trust="" store="">

On deployment, I just update the settings file to match the certificates for the particular environment.

edit flag offensive delete link more

answered 2012-02-16 01:41:41 -0600

If you didn't explicitly add your key to the other parts of the system, I'd argue that each of those systems has the extremely serious bug of not checking the SSL keys in use. False sense of security is often worse than no security at all. Both of these sound like they're the case...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-02-15 00:05:09 -0600

Seen: 286 times

Last updated: Jun 23 '12