[Bug 2137179] [NEW] Trove fails to authenticate with Keystone when using self-signed certificates
hamid lotfi
2137179 at bugs.launchpad.net
Sun Dec 28 05:28:34 UTC 2025
Public bug reported:
When Trove attempts to create a Keystone session using service credentials,
The SSL verification options defined under [keystone_authtoken] are ignored.
As a result, Trove fails to authenticate against Keystone deployments that use
self-signed certificates or private CAs, producing SSL verification errors
similar to the following:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in the certificate chain
This happens because get_keystone_session() creates a keystoneauth1 Session
without passing the 'verify' parameter, so keystone_authtoken.insecure and
keystone_authtoken.cafile settings are not honored.
Other OpenStack services explicitly propagate these SSL-related options when
creating Keystone sessions.
Steps to Reproduce:
1. Deploy Keystone with a self-signed certificate or private CA.
2. Configure Trove to use Keystone v3 authentication.
3. Set keystone_authtoken.insecure = true
OR configure keystone_authtoken.cafile.
4. Start Trove services.
5. Observe Trove failing to authenticate with Keystone.
Expected Result:
Trove should respect keystone_authtoken.insecure and keystone_authtoken.cafile
settings when establishing a Keystone session.
Actual Result:
Trove fails with SSL certificate verification errors.
Proposed Fix:
Pass the SSL verification options derived from keystone_authtoken.insecure
and keystone_authtoken.cafile into keystoneauth1.session.Session()
when creating the Keystone session.
Affects:
- Trove (all supported releases)
This issue affects deployments using internal or private PKI setups,
which are common in production OpenStack environments.
** Affects: openstack-trove (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2137179
Title:
Trove fails to authenticate with Keystone when using self-signed
certificates
Status in openstack-trove package in Ubuntu:
New
Bug description:
When Trove attempts to create a Keystone session using service credentials,
The SSL verification options defined under [keystone_authtoken] are ignored.
As a result, Trove fails to authenticate against Keystone deployments that use
self-signed certificates or private CAs, producing SSL verification errors
similar to the following:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in the certificate chain
This happens because get_keystone_session() creates a keystoneauth1 Session
without passing the 'verify' parameter, so keystone_authtoken.insecure and
keystone_authtoken.cafile settings are not honored.
Other OpenStack services explicitly propagate these SSL-related options when
creating Keystone sessions.
Steps to Reproduce:
1. Deploy Keystone with a self-signed certificate or private CA.
2. Configure Trove to use Keystone v3 authentication.
3. Set keystone_authtoken.insecure = true
OR configure keystone_authtoken.cafile.
4. Start Trove services.
5. Observe Trove failing to authenticate with Keystone.
Expected Result:
Trove should respect keystone_authtoken.insecure and keystone_authtoken.cafile
settings when establishing a Keystone session.
Actual Result:
Trove fails with SSL certificate verification errors.
Proposed Fix:
Pass the SSL verification options derived from keystone_authtoken.insecure
and keystone_authtoken.cafile into keystoneauth1.session.Session()
when creating the Keystone session.
Affects:
- Trove (all supported releases)
This issue affects deployments using internal or private PKI setups,
which are common in production OpenStack environments.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2137179/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list