Openstack Self-signed CA import

[Tomasz Skowron]

Hi,

does anyone know how one can specify to use a file with CA certificates for authentication with regards to deplyoments to on-premises openstack?

would I need to build the docker conainer and mount the file inside somehow as when setting the export OS_CACERT=elasticluster/openstackca.pem I get below error:

2021-02-10 21:05:47 074c653e4e12 elasticluster[1] ERROR Could not start node `compute004`: Could not find a suitable TLS CA certificate bundle, invalid path: elasticluster/openstackca.pem -- <type 'exceptions.IOError'>
Traceback (most recent call last):
  File "elasticluster/cluster.py", line 580, in _start_node
    node.start()
  File "elasticluster/cluster.py", line 1319, in start
    **self.extra)
  File "elasticluster/providers/openstack.py", line 484, in start_instance
    self._check_keypair(key_name, public_key_path, private_key_path)
  File "elasticluster/providers/openstack.py", line 921, in _check_keypair
    keypair = self.nova_client.keypairs.get(name)
  File "/usr/local/lib/python2.7/site-packages/novaclient/api_versions.py", line 393, in substitution
    return methods[-1].func(obj, *args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/novaclient/v2/keypairs.py", line 73, in get
    "keypair")
  File "/usr/local/lib/python2.7/site-packages/novaclient/base.py", line 353, in _get
    resp, body = self.api.client.get(url)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 386, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/local/lib/python2.7/site-packages/novaclient/client.py", line 72, in request
    **kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 545, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 248, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 747, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 1158, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/plugin.py", line 95, in get_headers
    token = self.get_token(session)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 88, in get_token
    return self.get_access(session).auth_token
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 134, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 184, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 1106, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 888, in request
    resp = send(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 979, in _send_request
    resp = self.session.request(method, url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 416, in send
    self.cert_verify(conn, request.url, verify, cert)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 228, in cert_verify
    "invalid path: {}".format(cert_loc))
IOError: Could not find a suitable TLS CA certificate bundle, invalid path: elasticluster/openstackca.pem

would I need to build the docker conainer and mount the file inside somehow?

[Riccardo Murri]

Hello Tomasz,

are you using the Dockerized version of ElastiCluster?  (i.e., `elasticluster.sh`, the one you install with the "Quickstart" instructions)

Ciao,

R

[Tomasz Skowron]

Hi,

yes dockerised. After looking at the dockerfile,  I have found a workaround to this, without needing to rebuild. The .elasticluster appears to be just the right place to put the cert file for it to be automatically picked up.

export OS_CACERT=/home/$(whoami)/.elasticluster/openstackca.pem