openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #21576
Re: keystone help! keystone stop/waiting
On Mar 5, 2013, at 12:32 PM, Koert van der Veer <koert@xxxxxxxxxxxx> quoted Mballo Cherif:
>> $ sudo service keystone start
>> keystone start/running, process 15335
>> $ sudo service keystone status
>> keystone stop/waiting
>>
>> How can I fix this?
I'm having a similar problem with a grizzly front-end that I'm trying to get running. Turning up the logging detail with debug and verbose in /etc/keystone/keystone.conf, I can see that ssl is turned off but signing is turned on. Here's slices from /var/log/keystone/keystone.log:
> 2013-03-05 12:20:16 DEBUG [keystone-all] ssl.ca_certs = None
> 2013-03-05 12:20:16 DEBUG [keystone-all] ssl.cert_required = False
> 2013-03-05 12:20:16 DEBUG [keystone-all] ssl.certfile = None
> 2013-03-05 12:20:16 DEBUG [keystone-all] ssl.enable = False
> 2013-03-05 12:20:16 DEBUG [keystone-all] ssl.keyfile = None
>
> [ ... deletia ... ]
>
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.ca_certs = /etc/keystone/ssl/certs/ca.pem
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.ca_password = None
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.certfile = /etc/keystone/ssl/certs/signing_cert.pem
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.key_size = 1024
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.keyfile = /etc/keystone/ssl/private/signing_key.pem
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.token_format = PKI
> 2013-03-05 12:20:16 DEBUG [keystone-all] signing.valid_days = 3650
In contrast, here are the corresponding sections from /etc/keystone/keystone.conf:
> [ssl]
> #enable = True
> #certfile = /etc/keystone/ssl/certs/keystone.pem
> #keyfile = /etc/keystone/ssl/private/keystonekey.pem
> #ca_certs = /etc/keystone/ssl/certs/ca.pem
> #cert_required = True
>
> [signing]
> #token_format = PKI
> #certfile = /etc/keystone/ssl/certs/signing_cert.pem
> #keyfile = /etc/keystone/ssl/private/signing_key.pem
> #ca_certs = /etc/keystone/ssl/certs/ca.pem
> #key_size = 1024
> #valid_days = 3650
> #ca_password = None
So, it looks to me like both ssl and signing are commented out (and turned off) in /etc/keystone/keystone.conf, but the log file is telling me that signing is actually turned on.
I'm sure you can imagine the problems that result from having signing turned on, but no /etc/keystone/ssl directory, much less anything under that hierarchy.
So, have I missed something obvious? Is there any other debugging info that I can provide that would be useful?
--
Brad Knowles <bknowles@xxxxxxxxxxxxxx>
Senior Consultant
Follow ups
References