"requests.exceptions.SSLError" in VMware Integrated OpenStack
Article ID: 342092
Updated On:
Products
VMware
VMware Integrated OpenStack
Issue/Introduction
To resolve this issue, change the hostname of a management-server.
Symptoms:
Symptoms:
- Running the VIOCLI command in VMware Integrated OpenStack fails with the error:
Traceback (most recent call last):
File "/usr/local/bin/viocli", line 10, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/viocli/cli.py", line 96, in main
args.func(args, args.verbose)
File "/usr/local/lib/python2.7/dist-packages/viocli/bundle/deployment.py", line 176, in handler
self.initialize(args.deployment_name)
File "/usr/local/lib/python2.7/dist-packages/viocli/bundle/base_bundle.py", line 74, in initialize
self._conn.authenticate(self._oms_user, self._oms_password)
File "/usr/local/lib/python2.7/dist-packages/viocli/bundle/common/oms_connection.py", line 55, in authenticate
self._get_url('/oms/api/hello'), verify=self.cert_path)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 469, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 569, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 420, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: hostname 'oms.domain.local' doesn't match either of 'localhost.localdom', 'localhost' - The hostname and certificate subject in the /opt/vmware/vio/etc/oms.crt file does not match.
Note: localhost.localdom is default name given to management-server, if FQDN in DNS is not configured for the management-server IP address.
Environment
VMware Integrated OpenStack 2.5.x
VMware Integrated OpenStack 2.0.x
VMware Integrated OpenStack 3.0.x
VMware Integrated OpenStack 2.0.x
VMware Integrated OpenStack 3.0.x
Cause
This issue occurs when a DNS A and PTR records for management-server IP is changed after the first boot of VIO management-server.
During the first boot of VMware Integrated OpenStack vAPP certificate is created for management-server and it is used in the registration of the plugin to vCenter Server. This certificate is created by using the FQDN returned by DNS reverse lookup of configured IP address for management-server in vAPP installation wizard. If the configured IP did not have associated PTR record the certificate is created with localhost.localdom DNS name.
When a PTR record is defined for the management-server IP address and management-server is restarted, the hostname is changed to reflect the value returned by reverse lookup of configured IP address. When the VIOCLI command is run it verifies the certificate and hostname. If this information is in conflict the viocli command errors.
During the first boot of VMware Integrated OpenStack vAPP certificate is created for management-server and it is used in the registration of the plugin to vCenter Server. This certificate is created by using the FQDN returned by DNS reverse lookup of configured IP address for management-server in vAPP installation wizard. If the configured IP did not have associated PTR record the certificate is created with localhost.localdom DNS name.
When a PTR record is defined for the management-server IP address and management-server is restarted, the hostname is changed to reflect the value returned by reverse lookup of configured IP address. When the VIOCLI command is run it verifies the certificate and hostname. If this information is in conflict the viocli command errors.
Resolution
To resolve this issue, change the hostname of a management-server:
- Create a snapshot of VMware Integrated OpenStack vApp.
- Shutdown and power on the VMware Integrated OpenStack vApp.
- Connect to the management-server through the SSH
- Stop oms services by running commands:
service oms stop
service osvmw stop - Take a backup of the /opt/vmware/vio/etc file.
cp -r /opt/vmware/vio/etc /root/etc_backup - Take a snapshot of the management-server.
- Remove files that block certificate regeneration by running command:
rm /opt/vmware/vio/etc/oms.lock /opt/vmware/vio/etc/guard.key - Clean up the old certificate values by running this command:
sed -i '/cms.*/d' /opt/vmware/vio/etc/vio_system.properties - Run script to generate new certificate:
/opt/vmware/vio/sysctl/scripts/generate-certs.sh `cat /opt/vmware/vio/etc/keystore.properties | grep keystorePass | awk -F"=" '{print $2}' | tr -d "\n"` oms oms_server /opt/vmware/vio/etc - Modify the /opt/vmware/vio/etc/omjs.properties file and set the oms.extension.registered to false to allow oms to register with vCenter Server with new certificate.
- Restore original guard.key and password:
cp /root/etc_backup/guard.key /opt/vmware/vio/etc/ - Open the /opt/vmware/vio/etc/vio_system.properties file and locate the entry starting with:
"cms.guard_keystore_pswd" - Replace it with same entry from /root/etc_backup/vio_system.properties file.
- Stop and restart the VIO vApp.
- Log out from the vSphere Web Client.
- Clear the browser cache and log in to the vSphere Web Clinet.
- Go to the VMware Integrated Openstack plugin and reconnect the OMS.
- Verify if you can run viocli commands and delete the snapshot.
Feedback
Yes
No
Powered by
