Solved: opentstack client, --insecure needed despite valid...

dalo · ‎12-07-2017

I need the parameter --insecure to successfully connect to our VIO despite working and CA signed Certificates.

If I connect with a Browser to the Horizon Website the Certificate is valid, but if I try to connect with the CLI I get a error:

$ openstack server list

Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.

SSL exception connecting to https://my_vio:5000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

If I add --insecure everything works fine. What's missing here?

dalo · ‎12-20-2017

Fixed it. The issue was the chain. I had just the certificate in the file. Now I made one with:

-- certificate --

-- intermediate --

-- root --

imported it again with:

sudo viocli deployment cert-update -p -f /home/viouser/cert_full_chain.crt

and everything works.

Helpful was a check of the certificate from a client:

openssl s_client -connect MYVIO.local:5000

...

Start Time: 1513768940

Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

...

dalo · ‎12-20-2017