[Closed] SSL certificate verification fail on creating cloud provider

#1

Hello, I’m getting an error creating a new OpenStack cloud provider.

I’ve defined “Non-SSL” Security Protocol, but one of the OpenStack services (swift) has an https end-point. The error is exactly with swift.

ERROR -- : <Fog> excon.error     #<Excon::Errors::CertificateError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon.Excon has certificates bundled, but these can be customized.`Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false` (less secure).>
[----] E, [2016-05-19T16:03:46.402029 #11092:93b994] ERROR -- : MIQ(OpenstackHandle::StorageDelegate#handled_list) Unable to obtain collection: 'directories' in service: 'swift' using project scope: [...]
[...]

Is an “Non-SSL” security protocol Cloud Provider able to detect and connect to SSL services without verification? If not, any info about where to hack it?

Thanks.

#2

@gmccullough can you review this question from @manel and forward to a SME if necessary.

#3

@blomquisg @Ladas Can you help on this one?

#4

@manel Hello, we currently don’t support SSL setup per service. It doesn’t make much sense to use SSL partially, since it’s enough to have one non ssl query and attacker can get the token and get into the whole system.

So my advice would be to switch to non-ssl for all services.

If that is not possible, hack place would be here:

if service == "Storage"
ssl_options = 'ssl’
else
ssl_options = opts.delete(:ssl_options)
end

then in the UI set non-ssl

If you will use ssl-with-validation paths to certificates will need to be set too. You should find that in our documentation.

#5

Thanks @Ladas,

I’ve tried you proposal and I got:

ERROR -- : <Fog> excon.error     #<Excon::Errors::CertificateError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon.Excon has certificates bundled, but these can be customized.`Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false` (less secure).>

So I forced SSL without validation:

      if service == "Storage"
        ssl_options = 'ssl'
        security_protocol = 'ssl'
      else
        ssl_options = opts.delete(:ssl_options)
      end

Now I’m getting:

ERROR -- : <Fog> excon.error     #<Excon::Errors::SocketError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)>

Any idea?

#6

@manel ems like your setup might require ssl_verify_peer=true

Which would mean, you will need to use ssl-with-validation and provide paths to certificates, which can be defined in https://github.com/ManageIQ/manageiq/blob/0bc79089ddf8413975cd8b74461ba1f9e641ff73/config/settings.yml#L1032

Usage of that is e.g. here https://bugzilla.redhat.com/show_bug.cgi?id=1292409

I wrote a bad example, ssl_options hold the certificate paths in the case of ssl-with-validation

the code should be:
if service == "Storage"
ssl_options = opts.delete(:ssl_options)
security_protocol = ‘ssl-with-validation’

the ssl_options are not used for ‘ssl’, so it passed without error for you

#7

Thanks for your tips @Ladas ,

Finally we’ve decided to migrate all services to SSL.