yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1160529] Re: Verify SSL certificates at boot time

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 29 May 2013 08:53:51 -0000
Reply-to: Bug 1160529 <1160529@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1160529

Title:
  Verify SSL certificates at boot time

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released

Bug description:
  Currently when glance is configured to server HTTPS the validity of
  the certificates is not checked.  When used an error message is logged
  that looks like:

  
  2013-03-26 14:58:30.724 13681 CRITICAL glance [-] [Errno 336445442] _ssl.c:365: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
  2013-03-26 14:58:30.724 13681 TRACE glance Traceback (most recent call last):
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/opt/stack/glance/bin/glance-api", line 60, in <module>
  2013-03-26 14:58:30.724 13681 TRACE glance     server.start(config.load_paste_app(), default_port=9292)
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/opt/stack/glance/glance/common/wsgi.py", line 206, in start
  2013-03-26 14:58:30.724 13681 TRACE glance     self.run_child()
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/opt/stack/glance/glance/common/wsgi.py", line 257, in run_child
  2013-03-26 14:58:30.724 13681 TRACE glance     self.run_server()
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/opt/stack/glance/glance/common/wsgi.py", line 283, in run_server
  2013-03-26 14:58:30.724 13681 TRACE glance     custom_pool=self.pool)
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 655, in server
  2013-03-26 14:58:30.724 13681 TRACE glance     client_socket = sock.accept()
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 277, in accept
  2013-03-26 14:58:30.724 13681 TRACE glance     suppress_ragged_eofs=self.suppress_ragged_eofs)
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 46, in __init__
  2013-03-26 14:58:30.724 13681 TRACE glance     super(GreenSSLSocket, self).__init__(sock.fd, *args, **kw)
  2013-03-26 14:58:30.724 13681 TRACE glance   File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
  2013-03-26 14:58:30.724 13681 TRACE glance     ciphers)
  2013-03-26 14:58:30.724 13681 TRACE glance SSLError: [Errno 336445442] _ssl.c:365: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
  2013-03-26 14:58:30.724 13681 TRACE glance 
  2013-03-26 14:58:30.832 13672 ERROR eventlet.wsgi.server [-] Not respawning child 13681, cannot recover from termination

  It would be nice if these were checked on load an a more helpful error
  message was printed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1160529/+subscriptions