Bootstrapping simple-manager-blueprint on Centos 7 with SSL enabled fails when validating NGINX url https://127.0.0.1/api/v2.1/version
nginx error: https://127.0.0.1/api/v2.1/version: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)>
In Centos 7 the default python version is 2.7.5 and according to this article https://access.redhat.com/articles/2039753 there was some changes incorporated into the standard http Python libs that performs SSL validation.
Following the article and looking at my systems /etc/python/cert-verification.cfg file it is using "platform_default" which in-turn uses the platform specific default hard-coded in the ssl module (which is to validate SSL certs).
Long story short during bootstrapping this function is called utils.verify_service_http(SERVICE_NAME, nginx_url, check_response, headers=headers), with the check_response being if the status code is 200 or 401.
As far as I can see verify_service_http just calls check_http_response, which ultimately uses the urllib2 library. No check is done on if CLOUDIFY_SSL_TRUST_ALL env variable is set and as a result the exception CERTIFICATE_VERIFY_FAILED is hit, and the bootstrap fails.
I manage to get around this by changing /etc/python/cert-verification.cfg [https] verify=disable but this is less than ideal.
Can we get a more permanent solution? Should the bootstrapping process include adding cloudify_external_key.pem certificate to the trust chain?