Unsigned cert error when using terraform

charmcraft
1

I am using terraform to set up and microstack.openstack cluster, and I’m having trouble passing authenticating when trying to create a network client. I have seen the discussion here: MicroStack Ussuri (242), can we disable TLS? and the patch here: https://opendev.org/x/microstack/commit/064aae84589c8355dd283b6ce701c35a43d67c46

I have sourced the admin.rc file and I can successfully interact with the microstack via the cli. However, when I try to create a network client, I get a self-signed certificate error when executing ‘terraform plan’. The terraform code snippet:

data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}

The terraform cli command: terraform$ terraform plan -out=plan.txt

terraform$ terraform plan -out=plan.txt

Error: Error creating OpenStack networking client: Post "https://10.12.246.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority

with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {

Do you have an example of how to ignore the self-signed cert in this case? Using “sudo snap set microstack config.tls.generate-self-signed=false” has not solved the problem. Thank you.

2

Hey tedpr,

As per this discussion MicroStack Ussuri (242), can we disable TLS? - microstack - Charmhub, we cannot disable TLS.

So, what you have to do to solve this, is either add the CA-cert to your client (for example an ad-hoc fix for our use case would be to import the CA-cert to the JVM trust store).

A better way to solve this is to probably use a proxy to handle the TLS communication for your client, this is something known as SSL offloading or SSL termination.
To do so, you could for example set up an internal domain for your MicroStack instance, which points to your proxy (which contains the caCert for the MicroStack instance) and the forwards the connection using the proper certificate.

This information may be helpful to you Using SSL Certificates with HAProxy | Servers for Hackers

3

thank you for responding Chris! I will take a look at the solutions you referenced.

It’s unfortunate that it’s not possible to disable TLS. Microstack is really valuable for testing out ideas and learning the openstack environment. Having to set up TLS before even getting started feels like an unnecessary barrier to entry for beginners…