openstack team mailing list archive

Thread
Date
Re: keystone and ssl ?

To: Pierre Amadio <pierre.amadio@xxxxxxxxxxxxx>
From: Nathanael Burton <nathanael.i.burton@xxxxxxxxx>
Date: Fri, 3 Aug 2012 19:02:20 -0400
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <501B9775.1040200@canonical.com>
Pierre,

In Diablo and Essex it is a common deployment pattern to serve Keystone via
SSL proxy or run Keystone as a mod_wsgi application directly.  Running like
this provides connection security between the clients and the Keystone
server.

Adam Young provided a good example of doing this via Apache httpd on a blog
post of his: http://adam.younglogic.com/2012/04/keystone-httpd/

Best,

Nate
On Aug 3, 2012 5:23 AM, "Pierre Amadio" <pierre.amadio@xxxxxxxxxxxxx> wrote:

> Hi there !
>
> I have an essex install that works, and am trying now to do the same
> thing but with SSL for keystone communication.
>
> I am using Ubuntu 12.04
>
> I followed http://docs.openstack.org/developer/keystone/configuration.html
>
> On a remote box that will serve as my CA, i generated an auto signed
> root certificate:
>
> cd /etc/ssl
> sudo /usr/lib/ssl/misc/CA.pl -newca
>
> This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy
> on my keystone node wherever ca_certs in the config file points to. Right ?
>
> So i have stored this file on  /etc/ssl/cacert.pem
>
> On my keystone box, i generate a certificate request:
>
> sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048
> -keyout cert.key -days 1095
> sudo mv cert.key /etc/ssl/
> sudo chmod 0600 /etc/ssl/cert.key
>
> I send a copy of kesytone-req.pem on my CA box and sign it:
>
> cd /etc/ssl
> sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles
> keystone-req.pem
>
> I copy back the signed keystone-cert.crt file on my keystone box in
> /etc/ssl/keystone-cert.crt
>
> I add the following on /etc/keystone/kesytone.conf :
>
>     [ssl]
>     enable = True
>     certfile = /etc/ssl/keystone-cert.crt
>     keyfile = /etc/ssl/cert.key
>     ca_certs = /etc/ssl/cacert.pem
>     cert_required = True
>
> >From there, i was expecting to "just" have to restart keystone and start
> using the keystone client with a https SERVICE_ENDPOINT environment
> variable so i could create services, tenants, users and so on.
>
> However, it looks to me like keystone is not even trying to negociate a
> ssl handshake:
>
> $ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/
> $ export SERVICE_TOKEN=whatever
> $ keystone user-list
>
> No handlers could be found for logger "keystoneclient.client"
> Unable to communicate with identity service: [Errno 1] _ssl.c:504:
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
> (HTTP 400)
>
> >From a tcpdump:
>
> #########################################
> ...........P....e...O..........4..6w....q}...V...
> .".!.9.8.........5............... ...
> .........3.2.....E.D...../...A..................I.........
> .4.2... ...........
> ...................................#.......<head>
> <title>Error response</title>
> </head>
> <body>
> <h1>Error response</h1>
> <p>Error code 400.
> <p>Message: Bad request syntax
>
> ('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0').
> <p>Error code explanation: 400 = Bad request syntax or unsupported method.
> </body>
> ##########################################
>
> I do not understand what i am doing wrong, nor am i 100% sure this is
> suppose to work yet.
>
> According to the following blue print, i think it should be available in
> essex:
>
> https://blueprints.launchpad.net/keystone/+spec/2-way-ssl
>
> At the bottom of the blueprint, there are 2 "addressed by" links with a
> set of patches:
>
> https://review.openstack.org/1038
> https://review.openstack.org/7706
>
> But i do not find trace of those patches in the ubuntu package
>
> ii  keystone
> 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
> Daemons
> ii  python-keystone
> 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
> Python library
> ii  python-keystoneclient           2012.1-0ubuntu1
>     Client libary for Openstack Keystone API
>
> I also fail to find trace of those in a git checkout of the
> refs/heads/stable/essex branch of keystone's git repository.
>
> I am confused.
>
> Any help would be appreciated.
>
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
References

keystone and ssl ?
From: Pierre Amadio, 2012-08-03