VIO 1.0 + NSX + vSphere 6.0
I am trying to execute the following segment of code:
139 credentials = get_credentials()
140 neutron = client.Client('2.0',
141 username=credentials['username'],
142 password=credentials['password'],
143 auth_url=credentials['auth_url'],
144 tenant_name=credentials['tenant_name'],
145 endpoint_url=credentials['url'],
146 token=credentials['token'],
147 insecure=True)
148 response = neutron.list_ports()
When I run the Python script, it errors out with the following:
Traceback (most recent call last):
File "getMACAddr.py", line 148, in <module>
response = neutron.list_ports()
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 111, in with_params
ret = self.function(instance, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 306, in list_ports
**_params)
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1250, in list
for r in self._pagination(collection, path, **params):
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1263, in _pagination
res = self.get(path, params=params)
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1236, in get
headers=headers, params=params)
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1221, in retry_request
headers=headers, params=params)
File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1156, in do_request
resp, replybody = self.httpclient.do_request(action, method, body=body)
File "/usr/lib/python2.7/dist-packages/neutronclient/client.py", line 192, in do_request
**kwargs)
File "/usr/lib/python2.7/dist-packages/neutronclient/client.py", line 148, in _cs_request
raise exceptions.SslCertificateValidationError(reason=e)
neutronclient.common.exceptions.SslCertificateValidationError: SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
The /var/log/neutron/server.log file has the following corresponding entry for when the script tries to make the connection:
2015-04-11 07:17:31.941 2096 INFO neutron.wsgi [-] (2096) accepted ('10.27.16.164', 34495)
When I run the CLI from the same controller node, I get the error with or without the —insecure flag:
root@controller02:/tmp# neutron port-list
SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
root@controller02:/tmp# neutron --insecure port-list
SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
If I run the neutron CLI command from my local Macbook Pro, it works just fine. That leads me to believe it is a communication error when the controller node tries to talk to itself. I have tried setting the OS_AUTH_URL and OS_URL to both the localhost IP and the 10-network IP address -- both result in the same error.
Any ideas?
--
Chris
Looks like the SSL error was being caused because I was connecting to the OS_URL for Neutron over SSL -- which is what the Access & Security page showed as the correct URL in Horizon. By changing the OS_URL to use HTTP, it began working.
Looks like the SSL error was being caused because I was connecting to the OS_URL for Neutron over SSL -- which is what the Access & Security page showed as the correct URL in Horizon. By changing the OS_URL to use HTTP, it began working.
Hi Chris,
It seems that you used controller IP directly instead of public VIP. HTTPS works only on public VIP, everything else is running HTTP, because it assumes only connections between internal components. Can you try https again with public VIP?
Best Regards,
Karol
Hello Chris,
Thanks for checking out VMware Integrated OpenStack and for sharing your concern.
By default, VMware Integrated OpenStack uses a self-signed certificate, which will require the use of the OS_CACERT environment variable in your openrc file and when using the API.
The better way to resolve this is to use a CA-signed certificate. Fortunately, VMware Integrated OpenStack makes the CSR generation and signed certificate import process very easy.
If this is production, of course, use a trusted Root CA. If this is a Dev Lab, you can generate your own Root CA certificate and use it for testing.
I wrote up a quick blog post on how to do this.
Let us know if you have any further questions.
Regards,
Trevor