Here's an example of a tiny thing that can ruin your day if you aren't paying close attention.
- in nova.conf the option ssl.ca_file switches on strict SSL certificate checking
Suppose you have signed certs everywhere except for one place. Well, you're gonna have a bad day, 'cuz you can only pick *all* certs need to be signed by a CA or only *no* certs need to be signed with a CA in Nova. So, just be aware.
I've also found this example https://gist.github.com/ssbarnea/8007689 (backup here) that shows how setting global environment variables can change the behavior of libraries underneath Python without touching anything in Python itself. That means you can change Python's strictness about SSL globally without necessarily exposing any visible control anywhere within OpenStack's configurations.
You've been warned.
Keyword spam to see if this post can get into a search engine:
Verify return code: 21 (unable to verify the first certificate)
nova-compute
vCenter unsigned SSL certificate
No comments:
Post a Comment