devstack, CA_BUNDLE, requests and pip

In the SSL patches I’m working on for OpenStack in devstack I’m trying to move away relying on client-specific CA file options. There has been pushback from upstream projects on adding new options for every server -> server connection (e.g. glance -> cinder, glance ->  swift, etc).

The system CA bundle was working nicely until I stood up a new dev box. Suddenly I was seeing a bunch of SSL verification errors.

The problem turned out to be requests. I was using the pip-installed requests which uses its own CA bundle by default, rather than the Fedora python-requests package which uses the system bundle in /etc/pki/certs/ca-bundle.crt. The module contains this comment:

If you are packaging Requests, e.g., for a Linux distribution or a managed
environment, you can change the definition of where() to return a separately packaged CA bundle.

We return “/etc/pki/tls/certs/ca-bundle.crt” provided by the ca-certificates package.

So if you are having problems with trust, try installing the distro-specific package. It worked for me.

Leave a Reply