This issue first started off as a report on the following issue (created by yours truly not properly testing his patch)

If you run keylime tenant without the -tp arg, it fails:

keylime_tenant -t 127.0.0.1 -v 127.0.0.1  -f excludes.txt --whitelist ~/whitelist.txt --exclude excludes.txt -c add 
Using config file /etc/keylime.conf
2019-12-22 08:38:30.658 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-12-22 08:38:30.658 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
2019-12-22 08:38:30.665 - keylime.tenant - WARNING - Using default UUID D432FBB3-D2F1-4A97-9EF7-75BD81C00000
2019-12-22 08:38:30.665 - keylime.tenant - INFO - TPM PCR Mask from policy is 0x408000
2019-12-22 08:38:30.665 - keylime.tenant - INFO - TPM PCR Mask from policy is 0x808000
2019-12-22 08:38:30.752 - keylime.ima - WARNING - No boot_aggregate value found in whitelist, adding an empty oneTraceback (most recent call last):
  File "/usr/local/bin/keylime_tenant", line 11, in <module>
    load_entry_point('keylime==1.2', 'console_scripts', 'keylime_tenant')()
  File "/usr/local/lib/python3.7/site-packages/keylime-1.2-py3.7.egg/keylime/tenant.py", line 812, in main
    mytenant.do_cv()
  File "/usr/local/lib/python3.7/site-packages/keylime-1.2-py3.7.egg/keylime/tenant.py", line 492, in do_cv
    keylime_logging.log_http_response(lo
Traceback (most recent call last):
  File "/usr/local/bin/keylime_tenant", line 11, in <module>
    load_entry_point('keylime==1.2', 'console_scripts', 'keylime_tenant')()
  File "/usr/local/lib/python3.7/site-packages/keylime-1.2-py3.7.egg/keylime/tenant.py", line 812, in main
    mytenant.do_cv()
  File "/usr/local/lib/python3.7/site-packages/keylime-1.2-py3.7.egg/keylime/tenant.py", line 492, in do_cv

We need a validation check to make sure its captured when the -tp arg is not used and it falls back to the configparser set value.

Now for the main issue

I think we need to better layout and define ip’s and ports, the whole lot are grouped in together at the top of the file, with no real outline on what is for connecting to a service and what is for a service to bind to. I will create another issue for this.

I have observed a few incorrect behaviours as well, for example for the -c delete command. This calls do_cvdelete which then http posts a DELETE to the verfifier, however it does not pass on the target IP. Instead it takes the IP from the config. Yet if you run the tenant command without a target IP ( -t), it fails. So its basically defining an arg as mandatory, yet not even using it.

keylime_tenant -v 127.0.0.1  -f excludes.txt --whitelist ~/whitelist.txt --exclude excludes.txt -c delete
Using config file /etc/keylime.conf
2019-12-22 09:07:36.581 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-12-22 09:07:36.582 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
Traceback (most recent call last):
  File "/usr/local/bin/keylime_tenant", line 11, in <module>
    load_entry_point('keylime==1.2', 'console_scripts', 'keylime_tenant')()
  File "/usr/local/lib/python3.7/site-packages/keylime-1.2-py3.7.egg/keylime/tenant.py", line 786, in main
    raise UserError("-t/--targethost is required for command %s"%args.command)
keylime.tenant.UserError: -t/--targethost is required for command delete