Thread Previous • Date Previous • Date Next • Thread Next |
Hi there ! I have an essex install that works, and am trying now to do the same thing but with SSL for keystone communication. I am using Ubuntu 12.04 I followed http://docs.openstack.org/developer/keystone/configuration.html On a remote box that will serve as my CA, i generated an auto signed root certificate: cd /etc/ssl sudo /usr/lib/ssl/misc/CA.pl -newca This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy on my keystone node wherever ca_certs in the config file points to. Right ? So i have stored this file on /etc/ssl/cacert.pem On my keystone box, i generate a certificate request: sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048 -keyout cert.key -days 1095 sudo mv cert.key /etc/ssl/ sudo chmod 0600 /etc/ssl/cert.key I send a copy of kesytone-req.pem on my CA box and sign it: cd /etc/ssl sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles keystone-req.pem I copy back the signed keystone-cert.crt file on my keystone box in /etc/ssl/keystone-cert.crt I add the following on /etc/keystone/kesytone.conf : [ssl] enable = True certfile = /etc/ssl/keystone-cert.crt keyfile = /etc/ssl/cert.key ca_certs = /etc/ssl/cacert.pem cert_required = True >From there, i was expecting to "just" have to restart keystone and start using the keystone client with a https SERVICE_ENDPOINT environment variable so i could create services, tenants, users and so on. However, it looks to me like keystone is not even trying to negociate a ssl handshake: $ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/ $ export SERVICE_TOKEN=whatever $ keystone user-list No handlers could be found for logger "keystoneclient.client" Unable to communicate with identity service: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. (HTTP 400) >From a tcpdump: ######################################### ...........P....e...O..........4..6w....q}...V... .".!.9.8.........5............... ... .........3.2.....E.D...../...A..................I......... .4.2... ........... ...................................#.......<head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 400. <p>Message: Bad request syntax ('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0'). <p>Error code explanation: 400 = Bad request syntax or unsupported method. </body> ########################################## I do not understand what i am doing wrong, nor am i 100% sure this is suppose to work yet. According to the following blue print, i think it should be available in essex: https://blueprints.launchpad.net/keystone/+spec/2-way-ssl At the bottom of the blueprint, there are 2 "addressed by" links with a set of patches: https://review.openstack.org/1038 https://review.openstack.org/7706 But i do not find trace of those patches in the ubuntu package ii keystone 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - Daemons ii python-keystone 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - Python library ii python-keystoneclient 2012.1-0ubuntu1 Client libary for Openstack Keystone API I also fail to find trace of those in a git checkout of the refs/heads/stable/essex branch of keystone's git repository. I am confused. Any help would be appreciated.
Thread Previous • Date Previous • Date Next • Thread Next |