stsstack-bundles

Merge ~nicolasbock/stsstack-bundles:novarc_ssl into stsstack-bundles:master

  1. Git
  2. lp:~nicolasbock/stsstack-bundles
  3. novarc_ssl
  4. Merge into master
Proposed by Nicolas Bock
Status: Rejected
Rejected by: Edward Hope-Morley
Proposed branch: ~nicolasbock/stsstack-bundles:novarc_ssl
Merge into: stsstack-bundles:master
Diff against target: 26 lines (+2/-2)
2 files modified
openstack/novarc (+1/-1)
openstack/tools/install_local_ca.sh (+1/-1)
Reviewer Review Type Date Requested Status
Felipe Reyes Needs Fixing
Edward Hope-Morley Pending
Review via email: mp+400996@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Felipe Reyes (freyes) wrote :

If we'll be setting the environment variable what would be the point of installing the certificate in the system's store?, without setting the env variable things should just work(tm), do you have a use case where things weren't working without it?

review: Needs Fixing
Revision history for this message
Nicolas Bock (nicolasbock) wrote :

> If we'll be setting the environment variable what would be the point of
> installing the certificate in the system's store?, without setting the env
> variable things should just work(tm), do you have a use case where things
> weren't working without it?

Those are good points. My reproducer is

./generate-bundle ... --ssl

source novaarc

openstack token issue

I am getting

Failed to discover available identity versions when contacting https://10.5.100.0:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://10.5.100.0:5000/v3/auth/tokens: HTTPSConnectionPool(host='10.5.100.0', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

Revision history for this message
Nicolas Bock (nicolasbock) wrote :

The local cert is properly linked from /etc/ssl/certs so I don't actually understand why the openstack client is not using this cert.

Revision history for this message
Nicolas Bock (nicolasbock) wrote :

I removed the export and left the other part. Please re-review.

Revision history for this message
Edward Hope-Morley (hopem) :
Revision history for this message
Nicolas Bock (nicolasbock) :
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Resolved in commit db5491ef1b123741c6d25a8b5d6c3ab6d52f03d2

Unmerged commits

482bf02... by Nicolas Bock

Do not swallow stdout when calling CA cert script

In case there is more than one CA cert folder, the
`install_local_ca.sh` script prints the folders it found. This is not
visible to the user if the `novarc` script redirects stdout to
`/dev/null`.

Signed-off-by: Nicolas Bock <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/openstack/novarc b/openstack/novarc
2index 5e931de..4ef2feb 100644
3--- a/openstack/novarc
4+++ b/openstack/novarc
5@@ -33,7 +33,7 @@ fi
6
7 if [ "${OS_AUTH_PROTOCOL:-}" = "https" ]; then
8 echo -n "INFO: installing certificate authority for this deployment..."
9- ${scriptdir}/tools/install_local_ca.sh 1>/dev/null
10+ ${scriptdir}/tools/install_local_ca.sh
11 echo done.
12 fi
13
14diff --git a/openstack/tools/install_local_ca.sh b/openstack/tools/install_local_ca.sh
15index f7a780d..94205cf 100755
16--- a/openstack/tools/install_local_ca.sh
17+++ b/openstack/tools/install_local_ca.sh
18@@ -30,7 +30,7 @@ fi
19
20 if [ -n "$model_ca_cert_path" ]; then
21 if [ ! -f /usr/local/share/ca-certificates/cacert.crt ] || [ $(md5sum $model_ca_cert_path | awk '{print $1}') != $(md5sum /usr/local/share/ca-certificates/cacert.crt | awk '{print $1}') ]; then
22- echo "INFO: installing stsstack-bundles openstack CA from /usr/local/share/ca-certificates/cacert.crt"
23+ echo "INFO: installing stsstack-bundles openstack CA to /usr/local/share/ca-certificates/cacert.crt"
24 sudo cp ${model_ca_cert_path} /usr/local/share/ca-certificates/cacert.crt
25 sudo chmod 644 /usr/local/share/ca-certificates/cacert.crt
26 sudo update-ca-certificates --fresh 1>/dev/null

Subscribers

People subscribed via source and target branches