← Back to team overview

openstack team mailing list archive

Re: keystone help! keystone stop/waiting

 

Brad,

The following to turn off SSL and PKI.

Mark

-------------------------

[ssl]
enable = False
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#cert_required = True

[signing]
token_format = UUID
#token_format = PKI
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#key_size = 1024
#valid_days = 3650
#ca_password = None



-----Original Message-----
From: openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Brad Knowles
Sent: Tuesday, March 05, 2013 10:45 AM
To: Koert van der Veer
Cc: <openstack@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Openstack] keystone help! keystone stop/waiting

On Mar 5, 2013, at 12:32 PM, Koert van der Veer <koert@xxxxxxxxxxxx> quoted Mballo Cherif:

>> $ sudo service keystone start
>> keystone start/running, process 15335
>> $ sudo service keystone status
>> keystone stop/waiting
>> 
>> How can I fix this?

I'm having a similar problem with a grizzly front-end that I'm trying to get running.  Turning up the logging detail with debug and verbose in /etc/keystone/keystone.conf, I can see that ssl is turned off but signing is turned on.  Here's slices from /var/log/keystone/keystone.log:

> 2013-03-05 12:20:16    DEBUG [keystone-all] ssl.ca_certs                   = None
> 2013-03-05 12:20:16    DEBUG [keystone-all] ssl.cert_required              = False
> 2013-03-05 12:20:16    DEBUG [keystone-all] ssl.certfile                   = None
> 2013-03-05 12:20:16    DEBUG [keystone-all] ssl.enable                     = False
> 2013-03-05 12:20:16    DEBUG [keystone-all] ssl.keyfile                    = None
> 
> 	[ ... deletia ... ]
> 
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.ca_certs               = /etc/keystone/ssl/certs/ca.pem
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.ca_password            = None
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.certfile               = /etc/keystone/ssl/certs/signing_cert.pem
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.key_size               = 1024
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.keyfile                = /etc/keystone/ssl/private/signing_key.pem
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.token_format           = PKI
> 2013-03-05 12:20:16    DEBUG [keystone-all] signing.valid_days             = 3650


In contrast, here are the corresponding sections from /etc/keystone/keystone.conf:

> [ssl]
> #enable = True
> #certfile = /etc/keystone/ssl/certs/keystone.pem
> #keyfile = /etc/keystone/ssl/private/keystonekey.pem
> #ca_certs = /etc/keystone/ssl/certs/ca.pem
> #cert_required = True
> 
> [signing]
> #token_format = PKI
> #certfile = /etc/keystone/ssl/certs/signing_cert.pem
> #keyfile = /etc/keystone/ssl/private/signing_key.pem
> #ca_certs = /etc/keystone/ssl/certs/ca.pem
> #key_size = 1024
> #valid_days = 3650
> #ca_password = None

So, it looks to me like both ssl and signing are commented out (and turned off) in /etc/keystone/keystone.conf, but the log file is telling me that signing is actually turned on.

I'm sure you can imagine the problems that result from having signing turned on, but no /etc/keystone/ssl directory, much less anything under that hierarchy.

So, have I missed something obvious?  Is there any other debugging info that I can provide that would be useful?

--
Brad Knowles <bknowles@xxxxxxxxxxxxxx>
Senior Consultant


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Follow ups

References