Ask Your Question
0

Erros devstack stable/liberty install behind proxy self-signed ssl certificate

asked 2016-02-01 12:43:55 -0500

victorx gravatar image

I'm trying to install DevStack stable/liberty on my Ubuntu 14.4.03 Trusty (all-in-one VM). My Ubuntu is behind a proxy that is a purposeful MITM with self signed certificates. I set http_proxy, https_proxy, no_proxy in .bashrc. I set defaults env_keep with sudo visudo. I changed git://git to https://git for GIT_BASE in stackrc. But when I ran ./stack.sh, I got the error below. Is there a way to set no ssl verify wholesale to run the entire stack.sh? If not, how many places do I need to disable checking self-signed certificates so stack.sh won't fail? Or, how many places do I need to accept the self-signed certificates? Thanks in advance for any tips or suggestions. Errors: /tmp/tmpNqoXHr/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning (https://urllib3.readthedocs.org/en/la...). /tmp/tmpNqoXHr/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning (https://urllib3.readthedocs.org/en/la...). Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - skipping Could not find a version that satisfies the requirement pip<8 (from -c /home/vx/devstack-stable-liberty/tools/cap-pip.txt (line 1)) (from versions: ) No matching distribution found for pip<8 (from -c /home/vx/devstack-stable-liberty/tools/cap-pip.txt (line 1)) stack.sh failed:

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
0

answered 2016-02-07 23:59:24 -0500

聪明健康 gravatar image

updated 2016-02-14 17:01:14 -0500

most likely your corporate fire wall have captured the ssl certifcate and reissued another certficate of their own back to your machine. (your distro of linux machine is doing the right thing, because your corporation is actually pretending to be owner of the site (which the installer is trying to download the package from), when they are actually not, what this means is that your corporation proxy servers can decrypt and spy on your requests to the sites).

What you can do is the below

  1. ask your corporation for the certficate (which they always capture and issue back to you), you should also be able to physically save this certificate as a crt file. When you visit any https website (within your corporations network) in a browser, and use your browser to download the certficate file as a crt file.
  2. Install (import) the certifcate to your Linux Machine, you can follow instructions on this site (http://kb.kerio.com/product/kerio-con...)
  3. you have to do two things here

     3.1 first thing - you have to make couple changes to the files in several files to specify the certificate location
    

    Details on the files to change to specify the certificate location

    Assuming you've already set up your proxy correctly

    devstack/inc/python: line 151-157, insert "--cert=<certificate_location> \" after "$cmd_pip $upgrade \", in my case, my <certificate_location> is /etc/ssl/certs/ca-certificates.crt

    devstack/inc/python: line 165-171, insert "--cert=<certificate_location> \" after "$cmd_pip $upgrade \", in my case, my <certificate_location> is /etc/ssl/certs/ca-certificates.crt

    devstack/tools/install_pip.sh: line 80, change this line to something like sudo -H -E python $LOCAL_PIP --cert=<certificate_location> -c $TOOLS_DIR/cap-pip.txt , in my case, my <certificate_location> is /etc/ssl/certs/ca-certficates.crt

    Note, some of the files might be downloaded files during installation, if they are, make the changes after they are downloaded (if none of these files are downloaded files during installation, good it just makes life easier), also if your installation is using python3, you should make these similar changes to python3 locations in the files, they should be right next to the above locations specified

    3.2 second thing - create a configuration file for pip at location ~/.pip/pip.conf In the pip.conf file you need to specify the location of the ssl certificates. it should look something like below
    

    [global]

    cert = <certificate_location>

    For me the <certificate_location> is /etc/ssl/certs/ca-certificates.crt

edit flag offensive delete link more
0

answered 2016-02-12 13:42:20 -0500

victorx gravatar image

I exported pip_cert=/etc/ssl/certs/ca-certificates.crt among other things and as a result the stack.sh script was able to proceed. Thanks 聪明健康 for your tips.

edit flag offensive delete link more

Comments

glad it worked ;)

I still had some problem getting the tempest (Integration testing tool) to work (so I disabled the tempest service in order to get openstack install successfully), if I put the export pip_cert=/etc/ssl/certs/ca-certificates.crt in side the stack.sh, would that help? :)

聪明健康 gravatar image聪明健康 ( 2016-02-26 00:39:07 -0500 )edit

I would not modify stack.sh. I would put export pip_cert in .bashrc.

victorx gravatar imagevictorx ( 2016-03-02 07:34:53 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2016-02-01 12:43:55 -0500

Seen: 1,751 times

Last updated: Feb 14 '16