创建KeyStone的实例时，OpenStack KeyStone SSL异常

Question

I create an instance of KeyStone like so:

import cherrypy    
from keystoneauth1 import session as session
from keystoneclient.v3 import client as client
from keystoneauth1.identity import v3

auth = v3.Password(auth_url = KEYSTONE_URL, username = cherrypy.session['username'], password = cherrypy.session['password'], user_domain_name=OPENSTACK_DEFAULT_DOMAIN, project_name = 'admin', project_id = 'c9aee696c4b54f12a645af2c951327dc', project_domain_name = 'default')
sess = session.Session(auth=auth)
keystoneClient = client.Client(session=sess)

When I perform this code as well:

projectList = keystoneClient.projects.list()
print projectList

The following error occurs:

    HTTP Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/jsontools.py", line 61, in json_handler
    value = cherrypy.serving.request._json_inner_handler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 34, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/var/www/frontend/controllers/api/user.py", line 58, in PUT
    projectList = keystoneClient.projects.list()
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/projects.py", line 107, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 383, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 173, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 331, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 98, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 387, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 647, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/plugin.py", line 84, in get_headers
    token = self.get_token(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 90, in get_token
    return self.get_access(session).auth_token
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 595, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 469, in request
    resp = send(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 507, in _send_request
    raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://dev-openstack.nubes.rl.ac.uk:5000/v3/auth/tokens: HTTPSConnectionPool(host='dev-openstack.nubes.rl.ac.uk', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

The same occurs whether I do this or I use Nova to list the VMs running, so I'm thinking it's something to do with the authenication maybe, although I could be wrong. I would like to understand:

• Why is this occurring?
• What do I need to do for it to work?

Answer 1

The error seems pretty clear: "certificate verify failed". You have an SSL certificate validation problem. You need to place a trusted CA certificate where the requests library (used by all OpenStack clients for HTTP operations) will find it, which may be both OS and distribution specific.

If you have the Python certifi module installed, requests will use that to locate a CA certificate bundle. If you distribution customizes certifi appropriately, it will point at the same certificate bundle that is used by other system tools. For example, on my (Fedora) system:

>>> import certifi
>>> certifi.where()
'/etc/pki/tls/certs/ca-bundle.crt'

If certifi is available but has not been customized by your distribution, the CA bundle will be the file cacert.pem contained in the certifi module directory.

If certifi is not available, then requests will default to using it's own cacert.pem located in the requests module directory.

Your job is to (a) figure out which of those CA bundles is being used and then (b) install the CA certificate used to sign your openstack SSL certificates into that file.

Alternately, you can set the OS_CACERT environment file to point to an appropriate certificate bundle.

See also this bug