← Back to team overview

openstack team mailing list archive

Re: grizzly on ubuntu precise: auth error using glance index

 

My original keystone.conf differ than yours:  almost everything was
commented out:

[ssl]

[signing]
token_format = PKI

With the information you provide, 'glance index' never return.

there is nothing in the logs, but strace on the keystone process show:

read(6, "# Wrapper module for _ssl, providing some additional
facilities\n# implemented in Python.  Written by Bill
Janssen.\n\n\"\"\"\\\nThis module provides some more Pythonic support
for SSL.\n\nObject types:\n\n  SSLSocket -- subtype of socket.socket
which does SSL over th"..., 8192) = 8192
read(6, "es = 1024\n        if self._sslobj:\n            if flags !=
0:\n                raise ValueError(\n                  \"non-zero
flags not allowed in calls to recv_into() on %s\" %\n
self.__class__)\n            tmp_buffer = self.read(nbytes)\n    "...,
4096) = 4096
read(6, "lf, mode, bufsize, close=True)\n\n\n\ndef wrap_socket(sock,
keyfile=None, certfile=None,\n                server_side=False,
cert_reqs=CERT_NONE,\n                ssl_version=PROTOCOL_SSLv23,
ca_certs=None,\n                do_handshake_on_connect=True,\n
 "..., 4096) = 3652
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0x7f3263133000, 4096)            = 0
write(2, "    ciphers)\n", 13)          = 13
write(2, "SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL
routines:SSL_CTX_use_PrivateKey_file:system lib\n", 107) = 107
write(2, "Removing descriptor: 6\n", 23) = 23
epoll_ctl(5, EPOLL_CTL_DEL, 6,
{EPOLLRDNORM|EPOLLRDBAND|EPOLLWRNORM|EPOLLMSG|0x4e9020, {u32=0,
u64=22205092589469696}}) = -1 EBADF (Bad file descriptor)



I've got the same error if i remove the /etc/keystone/ssl directory,
as it was before i ran keystone-manage pki-setup




2013/3/8 Miller, Mark M (EB SW Cloud - R&D - Corvallis) <mark.m.miller@xxxxxx>:
> What does your keystone.conf file have for the following sections?
>
> [signing]
> #token_format = UUID
> token_format = PKI
> certfile = /etc/keystone/ssl/certs/signing_cert.pem
> keyfile = /etc/keystone/ssl/private/signing_key.pem
> ca_certs = /etc/keystone/ssl/certs/ca.pemkey_size = 1024
> valid_days = 3650
> ca_password = None
> disable_pki = False
>
> [ssl]
> #enable = False
> enable = True
> certfile = /etc/keystone/ssl/certs/signing_cert.pem
> keyfile = /etc/keystone/ssl/private/signing_key.pem
> ca_certs = /etc/keystone/ssl/certs/ca.pem
> cert_required = False
>
> Mark
>
> -----Original Message-----
> From: openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Olivier Archer
> Sent: Friday, March 08, 2013 5:51 AM
> To: openstack
> Subject: [Openstack] grizzly on ubuntu precise: auth error using glance index
>
> Hi,
>   From the documentation here :
> http://docs.openstack.org/trunk/openstack-compute/install/apt/content/ap_installinggrizzlyubuntuprecise.html
>
> I've got problems with 'glance index' :
> # glance index
> Authorization Failed: Unable to communicate with identity service:
> {"error": {"message": "An unexpected error prevented the server from
> fulfilling your request. Command 'openssl' returned non-zero exit
> status 3", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)
>
> /var/log/keystone/keystone.log give:
> ERROR [keystone.common.cms] Signing error: Error opening signer
> certificate /etc/keystone/ssl/certs/signing_cert.pem
>
> So I've run
> # sudo keystone keystone-manage pki-setup
>
> to create certs file.
>
> But now, 'glance index' give me:
>
> Request returned failure status.
> Invalid OpenStack Identity credentials.
>
> and keystone.log give:
> WARNING [keystone.common.wsgi] Authorization failed. The request you
> have made requires authentication.
>
> my configuration is like the one in the doc:
>
> creds:
> export SERVICE_TOKEN=admin
> export OS_TENANT_NAME=admin
> export OS_USERNAME=admin
> export OS_PASSWORD=openstack
> export OS_AUTH_URL=http://100.10.10.115:5000/v2.0/
> export SERVICE_ENDPOINT=http://100.10.10.115:35357/v2.0/
>
> i've reinstalled everything from the begining from a fresh installed
> server, and i'm still stuck in this error...
>
>
>
>
> --
> Olivier Archer
> Océanographie spatiale - Ifremer
> 02 98 22 44 84
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>



-- 
Olivier Archer
Océanographie spatiale - Ifremer
02 98 22 44 84


References