Bug Description

Running "openstack network list" fails with "An SSL error occurred" with python-openstackclient version 2.1.0 and newer.

Other commands, like "openstack server list" work with the same version.

$ openstack --version
openstack 2.1.0
$ openstack server list >/dev/null # Works
$ openstack network list >/dev/null # Fails
An SSL error occurred.

Running "openstack network list" works with python-openstackclient version 2.0.0:

$ openstack --version
openstack 2.0.0
$ openstack server list >/dev/null # Works
$ openstack network list >/dev/null # Works
$

Kindly attach the logs you get when this command is run ::

openstack --debug network list

Output from "openstack --debug network list" is attached.

Can you attach the output of openstack --debug server list as well?

Output of "openstack server --debug list --name bugreport" is attached.

Are the compute and network endpoints configured the same? ie, do they use the same SSL/TLS termination or configuration?

If you hit the network endpoint in a browser does it have a valid cert?

Also, does 'openstack network list --insecure' work?

openstack catalog list

should give you a list of endpoints.

Can you please provide the output of "pip list"?

Output of pip list is attached.

I get the same error with --insecure:

$ openstack network list --insecure
An SSL error occurred.

The endpoints are all using the same wildcard certificate.

The --insecure bit is a clue, it's internal to OSC, probably connected to the use of the SDK with the network commands and not the others. We may not be setting up TLS correctly there.

It appears that OSC may need to pass verification information when building the connection using the SDK. I'll try recreating this.

I deployed a DevStack environment with the tls-proxy service enabled and could not recreate the error.

ubuntu@openstacksdk3:~$ openstack --version
openstack 2.2.1
ubuntu@openstacksdk3:~$ openstack network list
...
ubuntu@openstacksdk3:~$ env | grep OS
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=2.0
OS_PASSWORD=<my-password>
OS_AUTH_URL=https://X.X.X.X:5000/v2.0
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_VOLUME_API_VERSION=2
OS_NO_CACHE=1

I tried deploying a DevStack environment with USE_SSL=True but that failed.

OSC 2.2.1 authenticates twice when performing a neutron-related command: the 1st one with cacert/verify information which succeeds, the 2nd one without them which fails

Does anyone know how to recreate this using a DevStack deployment?

Is there a way to enable SSL in devstack with an existing certificate?

The following also worked in my DevStack environment with the tls-proxy service enabled.

$ OS_CACERT=/etc/ssl/certs/ca-certificates.crt openstack network list
...

Fix proposed to branch: master
Review:https://review.openstack.org/303472

Reviewed:https://review.openstack.org/303472
Committed:https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=b5f10f43eb9fd1a046a3e80db09d8bc8c350c218
Submitter: Jenkins
Branch: master

commit b5f10f43eb9fd1a046a3e80db09d8bc8c350c218
Author: Richard Theis <email address hidden>
Date: Thu Apr 7 16:35:38 2016 -0500

    Fix SSL/TLS verification for network commands

    The network commands ignored the --insecure and --os-cacert
    options and OS_CACERT environment variable which prevented
    them from properly completing SSL/TLS verification. This
    resulted in the network commands failing with
    "An SSL error occurred."

    Change-Id: I15167631ef58335e1476c16b828b079e3b0f13c1
    Closes-Bug: #1560157

This issue was fixed in the openstack/python-openstackclient 2.4.0 release.

Could somebody please backport it to Mitaka as well?

Fix proposed to branch: stable/mitaka
Review:https://review.openstack.org/354271

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/mitaka
Review:https://review.openstack.org/354271
Reason: rich, seems like not

Hi Alexander. OSC normally only backports security fixes to stable branches. Please contact Dean Troyer (dtroyer) if you believe an exception to this policy is needed.

FYI: OSC 2.4.0 should be backwards compatible with Mitaka.

Alexander, Sergii, that fix was backported in downstream MOS 9.1 as bughttps://bugs.launchpad.net/mos/+bug/1613679

Setting state of the current bug in MOS as invalid, as there is no way to specify state for a single project as duplicate.

Reviewed:https://review.openstack.org/354271
Committed:https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=53a79c33f88cea83fb2a90408dd3f5e8dd48a2f5
Submitter: Jenkins
Branch: stable/mitaka

commit 53a79c33f88cea83fb2a90408dd3f5e8dd48a2f5
Author: Richard Theis <email address hidden>
Date: Thu Apr 7 16:35:38 2016 -0500

    Fix SSL/TLS verification for network commands

    The network commands ignored the --insecure and --os-cacert
    options and OS_CACERT environment variable which prevented
    them from properly completing SSL/TLS verification. This
    resulted in the network commands failing with
    "An SSL error occurred."

    Change-Id: I15167631ef58335e1476c16b828b079e3b0f13c1
    Closes-Bug: #1560157
    (cherry picked from commit b5f10f43eb9fd1a046a3e80db09d8bc8c350c218)

This issue was fixed in the openstack/python-openstackclient 2.3.1 release.