python-novaclient

python-novaclient SSL CA certificate validation

Bug #1025724 reported by Jose Castro Leon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-novaclient
Invalid
Undecided
Unassigned

Bug Description

Following the commit by Adam Young, we discover that python-novaclient tries to validate the CA chain
(https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902)

So in case that the CA certificate is not bundled with the distribution, it refuses to do any operation due to the invalid certificate chain.

This could be solved by specifying an extra parameter with the CA chain in python-novaclient and pass it to httplib2 component.
or bypass the CA certificate validation

--- novaclient/client.py.orig 2012-07-13 16:44:17.401494239 +0200
+++ novaclient/client.py 2012-07-13 16:44:41.172496060 +0200
@@ -57,7 +57,7 @@

         # httplib2 overrides
         self.force_exception_to_status_code = True
- self.disable_ssl_certificate_validation = insecure
+ self.disable_ssl_certificate_validation = True

     def http_log(self, args, kwargs, resp, body):
         if 'NOVACLIENT_DEBUG' in os.environ and os.environ['NOVACLIENT_DEBUG']:

Revision history for this message
Jose Castro Leon (jose-castro-leon) wrote :

I have just noticed that if --insecure is specified it does not validate the CA chain.

Jose Castro Leon (jose-castro-leon)
Changed in python-novaclient:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.