search

pycontribs / pyrax

The Python SDK for the Rackspace Cloud
developer.rackspace.com
Apache License 2.0
237 stars 208 forks source link

Cannot initialise #545

Closed BobBall closed 9 years ago

BobBall commented 9 years ago

Trying to authenticate to access swift @ https://github.com/citrix-openstack/openstack-citrix-ci/blob/master/osci/swift_upload.py#L130

Cannot connect due to SSL issues, see below. This was working until yesterday, even with the novaclient warning.

I assume, from the code, this is trying to connect to https://identity.api.rackspacecloud.com/ (from an IAD VM no less) - but a quick manual check on the site didn't show something obviously wrong.

06:56:25 /home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/novaclient/v1_1/init.py:30: UserWarning: Module novaclient.v1_1 is deprecated (taken as a basis for novaclient.v2). The preferable way to get client class or object you can find in novaclient.client module. 06:56:25 warnings.warn("Module novaclient.v1_1 is deprecated (taken as a basis for " 06:56:25 Traceback (most recent call last): 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/bin/osci-upload", line 9, in 06:56:25 load_entry_point('osci==0.0.dev0', 'console_scripts', 'osci-upload')() 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/openstack-citrix-ci/osci/swift_upload.py", line 172, in main 06:56:25 SwiftUploader().upload(local_dirs, cf_prefix, options.region, options.container) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/openstack-citrix-ci/osci/swift_upload.py", line 130, in upload 06:56:25 region=region) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/init.py", line 429, in _wrapped 06:56:25 return fnc(_args, _kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/init.py", line 492, in set_credentials 06:56:25 tenant_id=tenant_id, region=region, authenticate=authenticate) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/identity/rax_identity.py", line 68, in set_credentials 06:56:25 region=region, tenant_id=tenant_id, authenticate=authenticate) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/base_identity.py", line 419, in set_credentials 06:56:25 self.authenticate() 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/identity/rax_identity.py", line 83, in authenticate 06:56:25 password=password, api_key=api_key, tenant_id=tenant_id) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/base_identity.py", line 598, in authenticate 06:56:25 headers=headers, std_headers=False) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/base_identity.py", line 530, in method_post 06:56:25 return self._call("POST", uri, admin, data, headers, std_headers) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/base_identity.py", line 569, in _call 06:56:25 return pyrax.http.request(mthd, uri, _kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/pyrax/http.py", line 63, in request 06:56:25 resp = req_method(uri, data=data, _kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/requests/api.py", line 99, in post 06:56:25 return request('post', url, data=data, json=json, _kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/requests/api.py", line 49, in request 06:56:25 response = session.request(method=method, url=url, _kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/requests/sessions.py", line 461, in request 06:56:25 resp = self.send(prep, _send_kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send 06:56:25 r = adapter.send(request, *_kwargs) 06:56:25 File "/home/jenkins/workspace/dsvm-tempest-xen/osci-env/local/lib/python2.7/site-packages/requests/adapters.py", line 431, in send 06:56:25 raise SSLError(e, request=request) 06:56:25 requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

briancurtin commented 9 years ago

Can you turn on logging and then email your logs to sdk-support@rackspace.com so we can see for sure what is happening? If you enable the following and then pipe your script to stdout that should do it. Ideally you'll see the request strings and response bodies of any HTTP calls made.

The easiest way is create a ~/.pyrax.cfg with the following

[default]
identity_type = rackspace
debug = True
waky79 commented 9 years ago

With nova client using '--insecure' it works so it is a certificate issue.

BobBall commented 9 years ago

From a working system:

/tmp/osci/local/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no subjectAltName, falling back to check for a commonName for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)

This implies the issue with the certificate is with subjectAltName

briancurtin commented 9 years ago

That has been going on for a while now and not directly related to the issue you are seeing. The certificate in the environment is planned to be upgraded within the next few weeks.

briancurtin commented 9 years ago

Bob, can you confirm the Requests library you have installed? If it's 2.5.2, which was released yesterday, they updated the CA bundle that gets shipped with the package, and that appears to have broken verification.

>>> import requests
>>> requests.__version__
'2.5.2'
BobBall commented 9 years ago

I can confirm both that and that downgrading to 2.5.1 solves the issue.

briancurtin commented 9 years ago

That's good to hear. I'll report back with a longer term solution.

briancurtin commented 9 years ago

Bob - 2.5.3 was just uploaded which goes back to the previous CA bundle, so if you happen to upgrade or setup a new environment, it should be ok again.

waky79 commented 9 years ago

Great!

waky79 commented 9 years ago

Btw. I noticed during debugging that setting the pyrax "verify_ssl" configuration option to False did not set it for the authentication when setting credentials file. Is this a bug?

briancurtin commented 9 years ago

Please enter a separate issue.

BobBall commented 9 years ago

Thanks Brian - I think we're all good to close this issue now.