salt-cloud unable to create proxmox profile

[niq000]

I'm not able to create a new openVZ container via proxmox. I should mention that in the past (one or two salt versions ago, I was able to with the same provider and profiles).

# salt --versions-report
                  Salt: 2015.5.2
                Python: 2.7.6 (default, Jun 22 2015, 17:58:13)
                Jinja2: 2.7.2
              M2Crypto: 0.21.1
        msgpack-python: 0.3.0
          msgpack-pure: Not Installed
              pycrypto: 2.6.1
               libnacl: Not Installed
                PyYAML: 3.10
                 ioflo: Not Installed
                 PyZMQ: 14.0.1
                  RAET: Not Installed
                   ZMQ: 4.0.4
                  Mako: 0.9.1
 Debian source package: 2015.5.2+ds-1trusty1

/etc/salt/cloud.providers.d/proxmox.conf

proxmox-config:
  user: root@pam
  password: secret
  url: proxmox.ip_address
  provider: proxmox
  minion:
    master: salt.master.ip_address

/etc/salt/cloud.profiles.d/proxmox.conf

proxmox-ubuntu-sm:
  provider: proxmox-config
  image: local:vztmpl/ubuntu-14.04-x86_64-minimal.tar.gz
  technology: openvz
  password: secret
  host: proxmox.ip_address
  memory: 512
  swap: 256
  cpus: 1
  onboot: 0
  disk: 10
  ip_address: x.x.x.x

Output:

# salt-cloud -l debug -p proxmox-ubuntu-sm PROX-PROD-CI01
[DEBUG   ] Reading configuration from /etc/salt/cloud
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: PROX-PROD-CFG01
[DEBUG   ] Missing configuration file: /etc/salt/cloud.providers
[DEBUG   ] Including configuration from '/etc/salt/cloud.providers.d/aws.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.providers.d/aws.conf
[DEBUG   ] Including configuration from '/etc/salt/cloud.providers.d/digital_ocean.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.providers.d/digital_ocean.conf
[DEBUG   ] Including configuration from '/etc/salt/cloud.providers.d/proxmox.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.providers.d/proxmox.conf
[DEBUG   ] Missing configuration file: /etc/salt/cloud.profiles
[DEBUG   ] Including configuration from '/etc/salt/cloud.profiles.d/aws.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.profiles.d/aws.conf
[DEBUG   ] Including configuration from '/etc/salt/cloud.profiles.d/digital_ocean.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.profiles.d/digital_ocean.conf
[DEBUG   ] Including configuration from '/etc/salt/cloud.profiles.d/proxmox.conf'
[DEBUG   ] Reading configuration from /etc/salt/cloud.profiles.d/proxmox.conf
[DEBUG   ] Configuration file path: /etc/salt/cloud
[INFO    ] salt-cloud starting
[WARNING ] /usr/lib/python2.7/dist-packages/salt/cloud/clouds/digital_ocean.py:86: DeprecationWarning: The digital_ocean driver is deprecated and will be removed in Salt Beryllium. Please convert your digital ocean provider configs to use the digital_ocean_v2 driver.
[DEBUG   ] Could not LazyLoad parallels.avail_sizes
[DEBUG   ] LazyLoaded parallels.avail_locations
[DEBUG   ] Could not LazyLoad proxmox.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.destroy
[DEBUG   ] Could not LazyLoad saltify.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.avail_images
[DEBUG   ] Could not LazyLoad saltify.avail_locations
[DEBUG   ] LazyLoaded rackspace.reboot
[DEBUG   ] LazyLoaded openstack.list_locations
[DEBUG   ] LazyLoaded rackspace.list_locations
[DEBUG   ] Could not LazyLoad proxmox.optimize_providers
[DEBUG   ] The 'proxmox' cloud driver is unable to be optimized.
[DEBUG   ] LazyLoaded digital_ocean.optimize_providers
[DEBUG   ] The 'digital_ocean' cloud driver is unable to be optimized.
[DEBUG   ] Could not LazyLoad parallels.avail_sizes
[DEBUG   ] LazyLoaded parallels.avail_locations
[DEBUG   ] Could not LazyLoad proxmox.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.destroy
[DEBUG   ] Could not LazyLoad saltify.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.avail_images
[DEBUG   ] Could not LazyLoad saltify.avail_locations
[DEBUG   ] Could not LazyLoad parallels.avail_sizes
[DEBUG   ] LazyLoaded parallels.avail_locations
[DEBUG   ] LazyLoaded rackspace.reboot
[DEBUG   ] LazyLoaded openstack.list_locations
[DEBUG   ] LazyLoaded rackspace.list_locations
[DEBUG   ] Could not LazyLoad parallels.avail_sizes
[DEBUG   ] LazyLoaded parallels.avail_locations
[DEBUG   ] Could not LazyLoad proxmox.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.destroy
[DEBUG   ] Could not LazyLoad saltify.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.avail_images
[DEBUG   ] Could not LazyLoad saltify.avail_locations
[DEBUG   ] LazyLoaded rackspace.reboot
[DEBUG   ] LazyLoaded openstack.list_locations
[DEBUG   ] LazyLoaded rackspace.list_locations
[DEBUG   ] Using AWS endpoint: ec2.us-west-2.amazonaws.com
[DEBUG   ] AWS Request: https://ec2.us-west-2.amazonaws.com/?Action=DescribeInstances&Version=2014-10-01
[DEBUG   ] Could not LazyLoad proxmox.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.destroy
[DEBUG   ] Could not LazyLoad saltify.avail_sizes
[DEBUG   ] Could not LazyLoad saltify.avail_images
[DEBUG   ] Could not LazyLoad saltify.avail_locations
[DEBUG   ] LazyLoaded rackspace.reboot
[DEBUG   ] LazyLoaded openstack.list_locations
[DEBUG   ] LazyLoaded rackspace.list_locations
[DEBUG   ] Getting resource: vms.. (filter: None)
[DEBUG   ] Not authenticated yet, doing that now..
[INFO    ] Starting new HTTPS connection (1): api.digitalocean.com
[INFO    ] Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com
[INFO    ] Starting new HTTPS connection (1): proxmox.fqdn[redacted]
[DEBUG   ] Failed to execute 'proxmox.list_nodes()' while querying for running nodes: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/salt/cloud/__init__.py", line 2247, in run_parallel_map_providers_query
    cloud.clouds[data['fun']]()
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 408, in list_nodes
    for vm_name, vm_details in get_resources_vms(includeConfig=True).items():
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 299, in get_resources_vms
    resources = query('get', 'cluster/resources')
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 124, in query
    _authenticate()
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 112, in _authenticate
    full_url, verify=True, data=connect_data).json()
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post
    return request('post', url, data=data, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[DEBUG   ] Setting read timeout to None
[DEBUG   ] Setting read timeout to None
[DEBUG   ] "GET /?Action=DescribeInstances&Version=2014-10-01 HTTP/1.1" 200 None
[DEBUG   ] AWS Response Status Code: 200
[DEBUG   ] "GET /v2/droplets/?page=1 HTTP/1.1" 200 None
[DEBUG   ] https://api.digitalocean.com/v2/droplets/?page=1
[DEBUG   ] Generating minion keys for 'PROX-PROD-CI01'
[DEBUG   ] MasterEvent PUB socket URI: ipc:///var/run/salt/master/master_event_pub.ipc
[DEBUG   ] MasterEvent PULL socket URI: ipc:///var/run/salt/master/master_event_pull.ipc
[DEBUG   ] Sending event - data = {'_stamp': '2015-07-23T05:25:16.628796'}
[DEBUG   ] Sending event - data = {'profile': 'proxmox-ubuntu-sm', 'event': 'starting create', '_stamp': '2015-07-23T05:25:16.630522', 'name': 'PROX-PROD-CI01', 'provider': 'proxmox-config:proxmox'}
[INFO    ] Creating Cloud VM PROX-PROD-CI01
[DEBUG   ] Not authenticated yet, doing that now..
[INFO    ] Starting new HTTPS connection (1): proxmox.fqdn[redacted]
[ERROR   ] Error creating PROX-PROD-CI01 on PROXMOX

The following exception was thrown when trying to run the initial deployment: 
[Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 497, in create
    data = create_node(vm_)
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 708, in create_node
    newnode['vmid'] = _get_next_vmid()
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 198, in _get_next_vmid
    return int(query('get', 'cluster/nextid'))
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 124, in query
    _authenticate()
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/proxmox.py", line 112, in _authenticate
    full_url, verify=True, data=connect_data).json()
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post
    return request('post', url, data=data, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: There was a profile error: Failed to deploy VM

[jfindlay]

@niq000, thanks for the report.

[rallytime]

@niq000 Thanks for the pull request. Does that fix resolve this issue for you?

[niq000]

I installed a wildcard certificate on my proxmox server, and still wasn't able to get things working when salt-cloud was verifying ssl. I'm not sure if that is an issue with my configuration, or something else. In regards to the pull request, I was able to successfully get things working with the changes I made.

In the little bit of research I did, it looks like salt cloud never used to verify ssl for proxmox (which is why i never had any problems in the past), but then that was changed with this commit (860d4b7). All I changed in the code was give an option in the proxmox provider file to give the user the choice to verify SSL or not instead of having it hard-coded on or off.

[rallytime]

@niq000 That makes sense and looks like it will certainly fix the issue for you. I don't know the details behind implementing #23329. @cro Can you comment about that? Does this fix seem reasonable as a work around for that?

[techhat]

Best security practices dictate that SSL be the default where ever it is available. Making it optional is acceptable, so long as the default is still to have it on.

[niq000]

@techhat the default is to verify ssl, even if it's not defined in the provider config file, but now the user has a choice to disable the verification by adding "verify_ssl: False" in the proxmox provider config file

[techhat]

@niq000, I understand, I was just clarifying why @cro made that PR.

[rallytime]

Thanks for the clarifications and for the fix!