python-barbicanclient

Certificate file passed via --os-cacert ignored

Bug #1603964 reported by Liam Young
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-barbicanclient
New
Undecided
Unassigned

Bug Description

I have a Barbican install using Apache for mod_wsgi to serve the API service and for SSL termination. I'm using a self signed certificate and key and have the certificate authority file on both the client and the server. When I query the API the client returns:

SSL exception connecting to https://10.5.15.73:9311/secrets: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/dist-packages/barbicanclient/barbican_cli/secrets.py", line 107, in take_action
    args.bit_length)
  File "/usr/lib/python2.7/dist-packages/barbicanclient/secrets.py", line 511, in list
    response = self._api.get(self._entity, params=params)
  File "/usr/lib/python2.7/dist-packages/barbicanclient/client.py", line 71, in get
    return super(_HTTPClient, self).get(*args, **kwargs).json()
  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/dist-packages/barbicanclient/client.py", line 63, in request
    resp = super(_HTTPClient, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 386, in request
    resp = send(**kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 426, in _send_request
    raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://10.5.15.73:9311/secrets: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have looked into this and for some reason the Barbican client appears to not be passing the local CA file to the keystone middleware. I added a small piece of debug to _send_request in keystoneclient/session.py to echo back the value of **kwargs. Using SSL with a a working client (like glance) I see:

verify = /home/ubuntu/layer-ssl/glance/myCA/cacert.pem

But for Barbican I see:

verify = True

If I edit _send_request and override 'verify' in kwargs to point at the local CA file then Barbican works again. The barbican client also works if I specify '--insecure'.

Revision history for this message
Liam Young (gnuoy) wrote :

I'm seeing the issue with barbican 4.0.1.

$ barbican --version
barbican 4.0.1

$ barbican --os-cacert /home/ubuntu/cert.pem secret list
Starting new HTTP connection (1): 10.5.15.67
Starting new HTTPS connection (1): 10.5.15.73
Failed to contact the endpoint at https://10.5.15.73:9311 for discovery. Fallback to using that endpoint as the base url.
Starting new HTTPS connection (2): 10.5.15.73
SSL exception connecting to https://10.5.15.73:9311/secrets: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

However, pip installing the openstack client and python-barbican client result a working client:

sudo apt-get install python-dev python-pip
sudo pip install python-openstackclient
sudo pip install python-barbicanclient

openstack --os-cacert /home/ubuntu/cert.pem secret list

$ sudo pip freeze | grep -E 'barbi|keystone|openstack'
keystoneauth1==2.9.0
openstacksdk==0.9.0
python-barbicanclient==4.0.1
python-keystoneclient==3.2.0
python-openstackclient==2.6.0

Revision history for this message
Christoph Fiehe (fiehe) wrote :
Download full text (17.1 KiB)

I am currently facing the same problem in my fresh installed OpenStack Newton environment based on Ubuntu 16.04. I am using HaProxy with SSL termination in conjuntion with a certificate that was signed by a private CA.

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=XYZ
export OS_AUTH_URL=http://os-identity:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export OS_INTERFACE=internal
export OS_ENDPOINT_TYPE=internalURL
export OS_CACERT=ca-bundle.crt

$ barbican secret list --debug --verbose
found extension EntryPoint.parse('table = cliff.formatters.table:TableFormatter')
found extension EntryPoint.parse('json = cliff.formatters.json_format:JSONFormatter')
found extension EntryPoint.parse('csv = cliff.formatters.commaseparated:CSVLister')
found extension EntryPoint.parse('value = cliff.formatters.value:ValueFormatter')
found extension EntryPoint.parse('yaml = cliff.formatters.yaml_format:YAMLFormatter')
Creating Client object
Listing secrets - offset 0 limit 10
Making authentication request to http://os-identity:35357/v3/auth/tokens
Starting new HTTP connection (1): os-identity
"POST /v3/auth/tokens HTTP/1.1" 201 9409
{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "fb20e9e62be542a6811633eee89e2522", "name": "admin"}], "expires_at": "2016-10-20T07:02:00.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "d332c49688364651a7fca7c866a3f933", "name": "admin"}, "catalog": [{"endpoints": [{"url": "http://os-share.mycompany.com:8786/v2/d332c49688364651a7fca7c866a3f933", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "4a3f1119cf8c474497fd0eed7ad169ca"}, {"url": "http://os-share.mycompany.com:8786/v2/d332c49688364651a7fca7c866a3f933", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "9f84336b5e4a41a5b3f78801da161859"}, {"url": "https://os-cloud.mycompany.com:8786/v2/d332c49688364651a7fca7c866a3f933", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "a875805c09d5488e8d9ee2059a0019a7"}], "type": "sharev2", "id": "25282b680d3a4cf6937d835c45abca91", "name": "manilav2"}, {"endpoints": [{"url": "http://os-telemetry.mycompany.com:8777", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "8eb09f9526504b6b99e0d3a8eb9d61e8"}, {"url": "http://os-telemetry.mycompany.com:8777", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "ec4d14282af341378b5afea5dc1125d8"}, {"url": "https://os-cloud.mycompany.com:8777", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f11ab122167544f3baaa0213ac52c9af"}], "type": "metering", "id": "3251920fb8a34543855a121e4f597110", "name": "ceilometer"}, {"endpoints": [{"url": "http://os-compute.mycompany.com:8774/v2.1/d332c49688364651a7fca7c866a3f933", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "1d3917f4c04d4eb4976160232a12cc6e"}, {"url": "http://os-compute.mycompany.com:8774/v2.1/d332c49688364651a7fca7c866a3f933", "interface": "internal", "region": "RegionOne", "reg...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.