You have been subscribed to a public bug: If you create a CA certificate and add it to the default locations by copying it to /usr/local/share/ca-certificates/ and running 'update-ca- certificates' it should be picked up by anything using openssl.
For example curl: 1) before running update-ca-certificates: $ curl https://192.0.2.254:13776 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html 2) after running update-ca-certificates: $ curl https://192.0.2.254:13776 {"versions": [{"status": "CURRENT", "updated": "2012-01-04T11:33:21Z", "id": "v1.0", "links": [{"href": "http://192.0.2.254:13776/v1/";, "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://192.0.2.254:13776/v2/";, "rel": "self"}]}]} although pointing directly to the CA file does work: $ keystone --os-cacert /etc/ssl/from-heat-ca.crt service-list +----------------------------------+----------+---------------+------------------------------+ | id | name | type | description | +----------------------------------+----------+---------------+------------------------------+ | e59679b3694449c6bc410d7321df48d6 | cinder | volume | Cinder Volume Service | | 8cb17b90b58440b9acb3be1716fc9c57 | ec2 | ec2 | EC2 Compatibility Layer | | d38888f8790c469cb007535e4d22d6eb | glance | image | Glance Image Service | | 70d1c596bc824397a440a61cf33e4bd4 | heat | orchestration | Heat Service | | 917470532d5d4d9b815bd19b882cc58a | keystone | identity | Keystone Identity Service | | a748d35bacbf4ed2a0a607ad52739e4e | neutron | network | Neutron Service | | 2a5905f1de5c4cd1a561ae7fdea0e1ae | nova | computev3 | Nova Compute Service v3 | | 77c83d2c395a4924bef10c2e5c13cd74 | nova | compute | Nova Compute Service | | dd8e1561cccc47a0b134616d4f4efd1d | swift | object-store | Swift Object Storage Service | +----------------------------------+----------+---------------+------------------------------+ after update-ca-certificates has been run the CA cert is not picked up automatically from the system-wide location: $ keystone service-list Authorization Failed: SSL exception connecting to https://192.0.2.254:13000/v2.0/tokens ** Affects: python-keystoneclient (Ubuntu) Importance: Undecided Status: New -- Debian/Ubuntu system wide CA certificate file doesn't seem to be used https://bugs.launchpad.net/bugs/1307598 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-keystoneclient in Ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
