Ask Your Question
1

rdo ssl issue: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

asked 2014-04-07 17:14:26 -0500

serverascode gravatar image

updated 2014-04-09 17:41:29 -0500

I've installed from RDO.

When I try to run swift list

    $ swift list 
Account GET failed: https://192.168.100.30/v1/AUTH_9eaf98abb5254492b0acedcc6585d4f0?format=json
     401 Unauthorized  [first 60 chars ofresponse] <html><h1>Unauthorized</h1><p>This server could not verify t

On the swift proxy I get:

Apr  7 16:08:09 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:10 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:11 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: Authorization failed for token 656cdba006064507927452b6c0430f8f
Apr  7 16:08:13 swift-proxy-01 proxy-server: Invalid user token - deferring reject downstream

Is it a problem with how keystone-manage ssl_setup works in the RDO version maybe?

UPDATE:

(this is a test system so showing tokens is ok)

If I take the cacert from the keystone server and put it onto the proxy server and use that with keystone, keystone is Ok without the --insecure.

Seems like I have to tell swift-proxy to allow insecure certs?

[root@swift-proxy-01 swift]# keystone --os-cacert ~/ca.pem token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-04-10T22:37:27Z       |
|     id    | ef6e4e7930754188af35d8350ac85a23 |
| tenant_id | 9eaf98abb5254492b0acedcc6585d4f0 |
|  user_id  | 4b5abb3a1e9a423a921903a15d47f3ad |
+-----------+----------------------------------+
[root@swift-proxy-01 swift]# keystone token-get
Authorization Failed: Unable to establish connection to https://192.168.100.50:35357/v2.0/tokens
edit retag flag offensive close merge delete

Comments

Yes every client that talks to keystone should pass os-cacert or set corresponding env variable. That's what I gave you in the answer.

Haneef Ali gravatar imageHaneef Ali ( 2014-04-09 18:07:08 -0500 )edit

Ok, but how to do that with swift-proxy?

serverascode gravatar imageserverascode ( 2014-04-09 18:11:43 -0500 )edit

SSL certs is issued by a CA. So the client needs a CA certs in order to trust the server. In devstack/RDO, it is self signed CA, It so happens that all the clients ( swfit/nova/keystone) takes the CA certs location either fromt the env varaibale (OS_CACERT) or via parameter os-cacert. As longs as the variable points to correct CA, you don't need to use --insecure option.

If you are using real certs signed by public CA such as Verisign , GoDaddy, etc then you don't need to use this variable as os by default has these CAs isntalled and python library takes that from the default location

Haneef Ali gravatar imageHaneef Ali ( 2014-04-09 23:00:15 -0500 )edit

To tell swift-proxy to allow insecure certs when talking to Keystone set insecure parameter[1] in [filter:authtoken] section in /etc/swift/proxy-server.conf

[1] https://github.com/openstack/python-k...

Alan Pevec gravatar imageAlan Pevec ( 2014-04-10 01:44:08 -0500 )edit
If you look at the file, there is an option for cafile. Set this to point to your ca certs in [filter:authtoken] middleware

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py
Haneef Ali gravatar imageHaneef Ali ( 2014-04-10 11:04:51 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-04-10 19:04:38 -0500

serverascode gravatar image

updated 2014-04-10 19:05:20 -0500

If you look in the comments you can see Alan Pevec's answer which is the solution that I was looking for.

To tell swift-proxy to allow insecure certs when talking to Keystone set insecure parameter[1] in [filter:authtoken] section in /etc/swift/proxy-server.conf
edit flag offensive delete link more
0

answered 2014-04-07 17:30:14 -0500

keystone-manage ssl_setup uses self signed cert. Self signed certs are for development/test. Default ssl certs generated by keystone-mange will have CN=localhost. So it will work only if use the keystone url as localhost provided you have setup proper CA CERT location. Your best bet is to use "insecure" option

edit flag offensive delete link more

Comments

Yeah, I am using it in dev/test. I did supply a cert_subject line.

[root@swift-keystone-01 keystone]# grep cert_subject keystone.conf 
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.50

Would I add an option to the proxy config to allow insecure certs then?

serverascode gravatar imageserverascode ( 2014-04-07 17:32:59 -0500 )edit

First you need to know whether it is failing in keystone or swift. Looks like your swift is also ssl. You need to find out the CN of the keystone cert. If the CN=192.168.100.50, then it will work if you use IP address. Just make sure you set the OS_CACERT variable points to your CA certificate

You can also refer to this thread for reference.  https://ask.openstack.org/en/question/25721/havana-keystone-ssl-problem/#25722
Haneef Ali gravatar imageHaneef Ali ( 2014-04-07 17:49:02 -0500 )edit

It is using the IP address. Unfortunately the thread you show does not have a resolution in it. But I'll keep looking... thanks :)

serverascode gravatar imageserverascode ( 2014-04-07 19:29:21 -0500 )edit

Hi were you able to solve the issue ?

G-user gravatar imageG-user ( 2016-08-04 07:33:38 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-04-07 17:14:26 -0500

Seen: 10,697 times

Last updated: Apr 10 '14