yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2076409] [NEW] Lack of tls_cacertfile and tls_cacertdir should be handled differently

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Boris Bobrov <2076409@xxxxxxxxxxxxxxxxxx>
Date: Fri, 09 Aug 2024 09:29:18 -0000
Reply-to: Bug 2076409 <2076409@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Some time ago, https://review.opendev.org/c/openstack/keystone/+/833876
got merged. Unfortunately, it broke us during upgrade to 2023.2. After
the upgrade, keystone raised ValueError.

Somehow things worked for us when we used ldaps and had no CAs
configured. I don't fully understand yet how. Probably ldap used the
system default directories.

This change should be mentioned in the release notes. This change should
be added to the doctor. This change should maybe be reverted completely,
and moved to the doctor or to some other place.

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  Some time ago, https://review.opendev.org/c/openstack/keystone/+/833876
  got merged. Unfortunately, it broke us during upgrade to 2023.2. After
  the upgrade, keystone raised ValueError.
  
  Somehow things worked for us when we used ldaps and had no CAs
  configured. I don't fully understand yet how. Probably ldap used the
  system default directories.
  
  This change should be mentioned in the release notes. This change should
  be added to the doctor. This change should maybe be reverted completely,
- and moved to the doctor or to some place.
+ and moved to the doctor or to some other place.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2076409

Title:
  Lack of tls_cacertfile and tls_cacertdir should be handled differently

Status in OpenStack Identity (keystone):
  New

Bug description:
  Some time ago,
  https://review.opendev.org/c/openstack/keystone/+/833876 got merged.
  Unfortunately, it broke us during upgrade to 2023.2. After the
  upgrade, keystone raised ValueError.

  Somehow things worked for us when we used ldaps and had no CAs
  configured. I don't fully understand yet how. Probably ldap used the
  system default directories.

  This change should be mentioned in the release notes. This change
  should be added to the doctor. This change should maybe be reverted
  completely, and moved to the doctor or to some other place.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2076409/+subscriptions