'tls unsigned certificate when using terraform

The microstack.openstack project recently enabled/required tls authentication as outlined here. I am working on deploying an openstack cluster to microstack using a terraform example here. As a result of the change, I receive an unknown signed cert error when trying to create an openstack network client data source.

data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}

The error I get when calling terraform plan:

Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {

Is there a way to ignore the certificate error, so that I can successfully use terraform to create the openstack cluster? I have tried updating the generate-self-signed parameter, but I haven't seen any change in behavior:

sudo snap set microstack config.tls.generate-self-signed=false
sslterraformopenstackmicrostack


Solution 1:[1]

The problem was that I did not source the admin-openrc.sh file that I had downloaded from the horizon web page:

$ source admin-openrc.sh

Solution 2:[2]

I faced the same problem, if it could help, here my contribution :

sudo snap get microstack config.tls

Key                              Value

config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem config.tls.compute {...} config.tls.generate-self-signed true config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem

In terraform directory, do :

cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : copy paste -> cacert.pem

cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem

cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem

And create a file in your terraform directory main.tf :

provider "openstack" {
  user_name   = "admin"
  tenant_name = "admin"
  password    = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
  auth_url    = "https://host_ip:5000/v3"
  #insecure = true (uncomment & comment cacert_file + key line)
  cacert_file = "/terraform_dir/cacert.pem"
  #cert = "/terraform_dir/cert.pem" (if needed)
  key = "/terraform_dir/private.pem"
  region      = "microstack" (or regionOne)

}

To finish terraform plan/apply

Solution 3:[3]

I think insecure provider parameter is what you are looking for:

(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.

Try:

provider "openstack" {
  insecure = true
}

Disclaimer: I haven't tried that.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ted
Solution 2
Solution 3 Grzegorz Oledzki

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

Solving sslv3 alert handshake failure when trying to use a client certificate

Nginx the event was not signaled for 5s

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)?

Library not loaded: /opt/local/lib/libssl.1.0.0.dylib (LoadError)

SSL certificate error for IE users only

Mongodb SSL - unable to get issuer certificate

Where can I find the WAMP error log?

How to convert certificate from PEM to JKS?

CondaHTTPError: HTTP 000 CONNECTION FAILED for url - Anaconda

Getting Chrome to accept self-signed localhost certificate

"ssl module in Python is not available" when installing package with pip3

getCipherSuite() returns SSL_NULL_WITH_NULL_NULL