VMware Cloud Community
cmutchle
Enthusiast
Enthusiast
Jump to solution

SSL error using Neutron API and CLI directly on controller nodes

VIO 1.0 + NSX + vSphere 6.0

I am trying to execute the following segment of code:

139         credentials = get_credentials()

140         neutron = client.Client('2.0',

141                                 username=credentials['username'],

142                                 password=credentials['password'],

143                                 auth_url=credentials['auth_url'],

144                                 tenant_name=credentials['tenant_name'],

145                                 endpoint_url=credentials['url'],

146                                 token=credentials['token'],

147                                 insecure=True)

148         response = neutron.list_ports()

When I run the Python script, it errors out with the following:

Traceback (most recent call last):

  File "getMACAddr.py", line 148, in <module>

    response = neutron.list_ports()

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 111, in with_params

    ret = self.function(instance, *args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 306, in list_ports

    **_params)

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1250, in list

    for r in self._pagination(collection, path, **params):

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1263, in _pagination

    res = self.get(path, params=params)

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1236, in get

    headers=headers, params=params)

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1221, in retry_request

    headers=headers, params=params)

  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1156, in do_request

    resp, replybody = self.httpclient.do_request(action, method, body=body)

  File "/usr/lib/python2.7/dist-packages/neutronclient/client.py", line 192, in do_request

    **kwargs)

  File "/usr/lib/python2.7/dist-packages/neutronclient/client.py", line 148, in _cs_request

    raise exceptions.SslCertificateValidationError(reason=e)

neutronclient.common.exceptions.SslCertificateValidationError: SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The /var/log/neutron/server.log file has the following corresponding entry for when the script tries to make the connection:

2015-04-11 07:17:31.941 2096 INFO neutron.wsgi [-] (2096) accepted ('10.27.16.164', 34495)

When I run the CLI from the same controller node, I get the error with or without the —insecure flag:

root@controller02:/tmp# neutron port-list

SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

root@controller02:/tmp# neutron --insecure port-list

SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

If I run the neutron CLI command from my local Macbook Pro, it works just fine. That leads me to believe it is a communication error when the controller node tries to talk to itself. I have tried setting the OS_AUTH_URL and OS_URL to both the localhost IP and the 10-network IP address -- both result in the same error.

Any ideas?

--

Chris

Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
cmutchle
Enthusiast
Enthusiast
Jump to solution

Looks like the SSL error was being caused because I was connecting to the OS_URL for Neutron over SSL -- which is what the Access & Security page showed as the correct URL in Horizon. By changing the OS_URL to use HTTP, it began working.

View solution in original post

Reply
0 Kudos
3 Replies
cmutchle
Enthusiast
Enthusiast
Jump to solution

Looks like the SSL error was being caused because I was connecting to the OS_URL for Neutron over SSL -- which is what the Access & Security page showed as the correct URL in Horizon. By changing the OS_URL to use HTTP, it began working.

Reply
0 Kudos
KarolSte
Enthusiast
Enthusiast
Jump to solution

Hi Chris,

It seems that you used controller IP directly instead of public VIP.  HTTPS works only on public VIP, everything else is running HTTP, because it assumes only connections between internal components. Can you try https again with public VIP?

Best Regards,

Karol

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Hello Chris,

Thanks for checking out VMware Integrated OpenStack and for sharing your concern.

By default, VMware Integrated OpenStack uses a self-signed certificate, which will require the use of the OS_CACERT environment variable in your openrc file and when using the API.

The better way to resolve this is to use a CA-signed certificate.  Fortunately, VMware Integrated OpenStack makes the CSR generation and signed certificate import process very easy.

If this is production, of course, use a trusted Root CA.  If this is a Dev Lab, you can generate your own Root CA certificate and use it for testing.

I wrote up a quick blog post on how to do this.

Let us know if you have any further questions.

Regards,

Trevor

Reply
0 Kudos