[Bug 2137179] Fix included in openstack/trove 25.0.0.0rc1

OpenStack Infra 2137179 at bugs.launchpad.net
Tue Mar 17 10:56:06 UTC 2026 

This issue was fixed in the openstack/trove 25.0.0.0rc1 Gazpacho release
candidate.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2137179

Title:
  Trove fails to authenticate with Keystone when using self-signed
  certificates

Status in openstack-trove package in Ubuntu:
  Fix Released

Bug description:
  When Trove attempts to create a Keystone session using service credentials,
  The SSL verification options defined under [keystone_authtoken] are ignored.

  As a result, Trove fails to authenticate against Keystone deployments that use
  self-signed certificates or private CAs, producing SSL verification errors
  similar to the following:

  SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
  self-signed certificate in the certificate chain

  This happens because get_keystone_session() creates a keystoneauth1 Session
  without passing the 'verify' parameter, so keystone_authtoken.insecure and
  keystone_authtoken.cafile settings are not honored.

  Other OpenStack services explicitly propagate these SSL-related options when
  creating Keystone sessions.

  Steps to Reproduce:
  1. Deploy Keystone with a self-signed certificate or private CA.
  2. Configure Trove to use Keystone v3 authentication.
  3. Set keystone_authtoken.insecure = true
     OR configure keystone_authtoken.cafile.
  4. Start Trove services.
  5. Observe Trove failing to authenticate with Keystone.

  Expected Result:
  Trove should respect keystone_authtoken.insecure and keystone_authtoken.cafile
  settings when establishing a Keystone session.

  
  Actual Result:
  Trove fails with SSL certificate verification errors.

  Proposed Fix:
  Pass the SSL verification options derived from keystone_authtoken.insecure
  and keystone_authtoken.cafile into keystoneauth1.session.Session()
  when creating the Keystone session.

  
  Affects:
  - Trove (all supported releases)

  
  This issue affects deployments using internal or private PKI setups,
  which are common in production OpenStack environments.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2137179/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list