I think with OS_CACERT you are telling your CentOS 7 server to validate the server certificate at /var/tmp/GeoTrust_CA_Bundle.crt instead of the validation information that is embedded in the server certificate such as CRL and OCSP URL.
Hope someone will have an answer for this problem. I am curious to know what the root cause of this problem is. :) As for why MAC OS X works, it could be they do not follow the rules. I know some web browsers does not check the server certificate according to the SSLv3/TLS spec. Cheers, Anthony. -----Original Message----- From: Jagga Soorma [mailto:jagg...@gmail.com] Sent: Tuesday, March 22, 2016 5:42 PM To: CHOW Anthony Cc: openstack Subject: Re: [Openstack] SSL cert issue on openstack client However my mac os x desktop does that without any issues. I was able to get around this on my CentOS server by downloading the GeoTrust_CA_Bundle.crt locally and using "export OS_CACERT=/var/tmp/GeoTrust_CA_Bundle.crt". However, I don't want to have all my users to have to do this. Is there a way around this on CentOS/Ubunut? I thought this would be part of the ssl chain included on these distributions. Thanks On Tue, Mar 22, 2016 at 5:38 PM, CHOW Anthony <anthony.c...@al-enterprise.com> wrote: > It seems like your CentOS 7 server is not able to verify the KeyStone > server's certificate. > > [Errno 1] _ssl.c:504: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Interesting issue. > > Anthony. > -----Original Message----- > From: Jagga Soorma [mailto:jagg...@gmail.com] > Sent: Tuesday, March 22, 2016 5:18 PM > To: openstack > Subject: [Openstack] SSL cert issue on openstack client > > Hi Guys, > > I am new to openstack and currently have a openstack environment that seems > to have ssl enabled. From my mac I am able to use the openstack api without > any issues and without having to do anything for ssl. > However, from my CentOS 7.1 server I get the following error message: > > -- > bash-4.2$ openstack image list > Discovering versions from the identity service failed when creating the > password plugin. Attempting to determine version from URL. > SSL exception connecting to https://xxx.yyy.com:5000/v3/auth/tokens: > [Errno 1] _ssl.c:504: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > -- > > I do seem to have the ca certificates installed: > > -- > $ rpm -qa | grep -i ca-cert > ca-certificates-2015.2.4-70.0.el7_1.noarch > -- > > Is there something extra that I need to do in order to get the openstack api > working on CentOS? > > Not having much luck with this. Any help would be appreciated. > > Thanks! > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
