We're updating the issue view to help you get more done. 

Simple Manager Bootstrap SSL verification fails

Description

Summary:

Bootstrapping simple-manager-blueprint on Centos 7 with SSL enabled fails when validating NGINX url https://127.0.0.1/api/v2.1/version

nginx error: https://127.0.0.1/api/v2.1/version: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)>

In Centos 7 the default python version is 2.7.5 and according to this article https://access.redhat.com/articles/2039753 there was some changes incorporated into the standard http Python libs that performs SSL validation.

Following the article and looking at my systems /etc/python/cert-verification.cfg file it is using "platform_default" which in-turn uses the platform specific default hard-coded in the ssl module (which is to validate SSL certs).

Long story short during bootstrapping this function is called utils.verify_service_http(SERVICE_NAME, nginx_url, check_response, headers=headers), with the check_response being if the status code is 200 or 401.

As far as I can see verify_service_http just calls check_http_response, which ultimately uses the urllib2 library. No check is done on if CLOUDIFY_SSL_TRUST_ALL env variable is set and as a result the exception CERTIFICATE_VERIFY_FAILED is hit, and the bootstrap fails.

I manage to get around this by changing /etc/python/cert-verification.cfg [https] verify=disable but this is less than ideal.

Can we get a more permanent solution? Should the bootstrapping process include adding cloudify_external_key.pem certificate to the trust chain?

Status

Assignee

Guy Offer

Reporter

Darin Sikanic

Labels

Severity

None

Bug Type

None

Target Version

None

Severity

None

Fix versions

Affects versions

4.1.1