I need the parameter --insecure to successfully connect to our VIO despite working and CA signed Certificates.
If I connect with a Browser to the Horizon Website the Certificate is valid, but if I try to connect with the CLI I get a error:
$ openstack server list
Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
SSL exception connecting to https://my_vio:5000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
If I add --insecure everything works fine. What's missing here?
Fixed it. The issue was the chain. I had just the certificate in the file. Now I made one with:
-- certificate --
-- intermediate --
-- root --
imported it again with:
sudo viocli deployment cert-update -p -f /home/viouser/cert_full_chain.crt
and everything works.
Helpful was a check of the certificate from a client:
openssl s_client -connect MYVIO.local:5000
...
Start Time: 1513768940
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
...
Fixed it. The issue was the chain. I had just the certificate in the file. Now I made one with:
-- certificate --
-- intermediate --
-- root --
imported it again with:
sudo viocli deployment cert-update -p -f /home/viouser/cert_full_chain.crt
and everything works.
Helpful was a check of the certificate from a client:
openssl s_client -connect MYVIO.local:5000
...
Start Time: 1513768940
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
...