[Bug 2137179] Re: Trove fails to authenticate with Keystone when using self-signed certificates

hamid lotfi 2137179 at bugs.launchpad.net
Sat Jan 31 10:30:03 UTC 2026 

This bug fixed:
https://review.opendev.org/c/openstack/trove/+/971875

** Changed in: openstack-trove (Ubuntu)
       Status: New => Fix Committed

** Changed in: openstack-trove (Ubuntu)
       Status: Fix Committed => Fix Released

** Attachment added: "https://review.opendev.org/c/openstack/trove/+/971875"
   https://review.opendev.org/c/openstack/trove/+/971875

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2137179

Title:
  Trove fails to authenticate with Keystone when using self-signed
  certificates

Status in openstack-trove package in Ubuntu:
  Fix Released

Bug description:
  When Trove attempts to create a Keystone session using service credentials,
  The SSL verification options defined under [keystone_authtoken] are ignored.

  As a result, Trove fails to authenticate against Keystone deployments that use
  self-signed certificates or private CAs, producing SSL verification errors
  similar to the following:

  SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
  self-signed certificate in the certificate chain

  This happens because get_keystone_session() creates a keystoneauth1 Session
  without passing the 'verify' parameter, so keystone_authtoken.insecure and
  keystone_authtoken.cafile settings are not honored.

  Other OpenStack services explicitly propagate these SSL-related options when
  creating Keystone sessions.

  Steps to Reproduce:
  1. Deploy Keystone with a self-signed certificate or private CA.
  2. Configure Trove to use Keystone v3 authentication.
  3. Set keystone_authtoken.insecure = true
     OR configure keystone_authtoken.cafile.
  4. Start Trove services.
  5. Observe Trove failing to authenticate with Keystone.

  Expected Result:
  Trove should respect keystone_authtoken.insecure and keystone_authtoken.cafile
  settings when establishing a Keystone session.

  
  Actual Result:
  Trove fails with SSL certificate verification errors.

  Proposed Fix:
  Pass the SSL verification options derived from keystone_authtoken.insecure
  and keystone_authtoken.cafile into keystoneauth1.session.Session()
  when creating the Keystone session.

  
  Affects:
  - Trove (all supported releases)

  
  This issue affects deployments using internal or private PKI setups,
  which are common in production OpenStack environments.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2137179/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list