openstack team mailing list archive

Thread
Date

keystone and ssl ?

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Pierre Amadio <pierre.amadio@xxxxxxxxxxxxx>
Date: Fri, 03 Aug 2012 11:18:45 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0

Hi there !

I have an essex install that works, and am trying now to do the same
thing but with SSL for keystone communication.

I am using Ubuntu 12.04

I followed http://docs.openstack.org/developer/keystone/configuration.html

On a remote box that will serve as my CA, i generated an auto signed
root certificate:

cd /etc/ssl
sudo /usr/lib/ssl/misc/CA.pl -newca

This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy
on my keystone node wherever ca_certs in the config file points to. Right ?

So i have stored this file on  /etc/ssl/cacert.pem

On my keystone box, i generate a certificate request:

sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048
-keyout cert.key -days 1095
sudo mv cert.key /etc/ssl/
sudo chmod 0600 /etc/ssl/cert.key

I send a copy of kesytone-req.pem on my CA box and sign it:

cd /etc/ssl
sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles
keystone-req.pem

I copy back the signed keystone-cert.crt file on my keystone box in
/etc/ssl/keystone-cert.crt

I add the following on /etc/keystone/kesytone.conf :

    [ssl]
    enable = True
    certfile = /etc/ssl/keystone-cert.crt
    keyfile = /etc/ssl/cert.key
    ca_certs = /etc/ssl/cacert.pem
    cert_required = True

>From there, i was expecting to "just" have to restart keystone and start
using the keystone client with a https SERVICE_ENDPOINT environment
variable so i could create services, tenants, users and so on.

However, it looks to me like keystone is not even trying to negociate a
ssl handshake:

$ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/
$ export SERVICE_TOKEN=whatever
$ keystone user-list

No handlers could be found for logger "keystoneclient.client"
Unable to communicate with identity service: [Errno 1] _ssl.c:504:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
(HTTP 400)

>From a tcpdump:

#########################################
...........P....e...O..........4..6w....q}...V...
.".!.9.8.........5............... ...
.........3.2.....E.D...../...A..................I.........
.4.2... ...........
...................................#.......<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 400.
<p>Message: Bad request syntax
('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>
##########################################

I do not understand what i am doing wrong, nor am i 100% sure this is
suppose to work yet.

According to the following blue print, i think it should be available in
essex:

https://blueprints.launchpad.net/keystone/+spec/2-way-ssl

At the bottom of the blueprint, there are 2 "addressed by" links with a
set of patches:

https://review.openstack.org/1038
https://review.openstack.org/7706

But i do not find trace of those patches in the ubuntu package

ii  keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - Daemons
ii  python-keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
Python library
ii  python-keystoneclient           2012.1-0ubuntu1
    Client libary for Openstack Keystone API

I also fail to find trace of those in a git checkout of the
refs/heads/stable/essex branch of keystone's git repository.

I am confused.

Any help would be appreciated.

Follow ups

Re: keystone and ssl ?
From: Nathanael Burton, 2012-08-03
Re: keystone and ssl ?
From: Jay Pipes, 2012-08-03