← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1239894] Re: openstack services unable to reach to self-signed keystone

 

Agree that this is a doc bug, although keystoneclient doesn't currently
document usage for auth_token at all, beyond help attributes via
oslo.config / argparse (in this case... `cfg.BoolOpt('insecure',
default=False, help='Verify HTTPS connections.')` ). openstack-manuals
does have coverage on this topic though.

** Changed in: python-keystoneclient
       Status: New => Invalid

** Also affects: openstack-manuals
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1239894

Title:
  openstack services unable to reach to self-signed keystone

Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Manuals:
  New
Status in Python client library for Keystone:
  Invalid

Bug description:
  We use self signed certificate with all openstack services. It all
  worked so far, but break once keystoneclient v0.4.0 was released last
  week.

  As per this commit, keystoneclient by default use insecure=False. 
  https://github.com/openstack/python-keystoneclient/commit/20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c

  This break self-signed instances. The openstack components {nova,
  glance, neutron} are unable to communicate with keystone. We don't use
  horion or swift. I presume they are broken as well. The keystone
  client is happy though if we use --insecure flag, while using it
  directly.

  Ideally, we should introduce new config parameter
  keystone_api_insecure. The insecure flag in keystoneclient should be
  defined based on this parameter. This should be fixed in all openstack
  services, nova, glance & neutron.

  [barumugam@build tempest]$ keystone --insecure tenant-list
  +----------------------------+----------------------------+---------+
  |             id             |            name            | enabled |
  +----------------------------+----------------------------+---------+
  |     csi-tenant-tempest     |     csi-tenant-tempest     |   True  |
  +----------------------------+----------------------------+---------+

  [barumugam@build tempest]$ nova --insecure list
  ERROR: Unauthorized (HTTP 401)

  Nova log:

  2013-10-13 00:01:56,680 (keystoneclient.middleware.auth_token): ERROR auth_token _http_request HTTP connection exception: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  2013-10-13 00:01:56,682 (keystoneclient.middleware.auth_token): DEBUG auth_token _validate_user_token Token validation failure.
  Traceback (most recent call last):
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 808, in _validate_user_token
      verified = self.verify_signed_token(user_token)
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1165, in verify_signed_token
      if self.is_signed_token_revoked(signed_text):
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1127, in is_signed_token_revoked
      revocation_list = self.token_revocation_list
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1217, in token_revocation_list
      self.token_revocation_list = self.fetch_revocation_list()
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1235, in fetch_revocation_list
      additional_headers=headers)
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 739, in _json_request
      response = self._http_request(method, path, **kwargs)
    File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 704, in _http_request
      raise NetworkError('Unable to communicate with keystone')

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1239894/+subscriptions