1 Reply Latest reply on Dec 20, 2017 3:52 AM by dalo

    opentstack client, --insecure needed despite valid certificate

    dalo Hot Shot

      I need the parameter --insecure to successfully connect to our VIO despite working and CA signed Certificates.

      If I connect with a Browser to the Horizon Website the Certificate is valid, but if I try to connect with the CLI I get a error:

       

      $ openstack server list

      Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.

      SSL exception connecting to https://my_vio:5000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

       

      If I add --insecure everything works fine. What's missing here?

        • 1. Re: opentstack client, --insecure needed despite valid certificate
          dalo Hot Shot

          Fixed it. The issue was the chain. I had just the certificate in the file. Now I made one with:

           

          -- certificate --

          -- intermediate --

          -- root --

           

          imported it again with:

           

          sudo viocli deployment cert-update -p -f /home/viouser/cert_full_chain.crt

           

          and everything works.

           

          Helpful was a check of the certificate from a client:

           

          openssl s_client -connect MYVIO.local:5000

           

          ...

              Start Time: 1513768940

              Timeout   : 300 (sec)

              Verify return code: 21 (unable to verify the first certificate)

          ...