OpenStack CLI Failed SSL Verification

ptsw picture ptsw · Oct 24, 2016 · Viewed 8.4k times · Source

When executing an openstack command, it is failing to verify a certificate that was signed by an internal CA.

CentOS 7
Root CA installed in /etc/pki/ca-trust/source/anchors
openstack 3.3.0

$ openstack server list
Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://XXXXX :13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

I hit the url from a browser and downloaded the certificate. Then ran openssl verify successfully.

$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.trust.crt 10.92.50.11.crt
10.92.50.11.crt: OK

Does the root CA need to be placed in another area for the command line to pick it up?

Answer

ptsw picture ptsw · Oct 25, 2016

Explicitly pointing at the CA certificate by setting OS_CACERT did the trick. Other people in my environment didn't have to do this. I'm not sure why it was necessary, but that's what fixed my issue.

export OS_CACERT=/path/to/ca.crt

Reference: http://docs.openstack.org/user-guide/common/cli-set-environment-variables-using-openstack-rc.html