yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #11255
[Bug 1289343] [NEW] enabling SSL config in keystone not working with ssl_setup certs
Public bug reported:
I've been trying to get SSL enabled in keystone with default certs
genereated from ssl_setup command, but not having much luck.
Here is my setup:
1. Updated the endpoint urls to https:
public_endpoint = https://192.168.255.208:5000/v2.0/
# admin_endpoint = http://localhost:%(admin_port)s/
admin_endpoint = https://192.168.255.208:35357/v2.0/
2. Updated SSL section :
[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/certs/cakey.pem
key_size = 1024
valid_days = 3650
cert_required = False
cert_subject= /C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.255.208
3. restart keystone
4. keystone-manage ssl_setup --keystone-user keystone --keystone-group
keystone
5. # ls -lart /etc/keystone/ssl/*
/etc/keystone/ssl/private:
total 12
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
drwxr-x--- 2 keystone keystone 4096 Mar 6 15:34 .
-rw-r----- 1 keystone keystone 891 Mar 6 15:34 keystonekey.pem
/etc/keystone/ssl/certs:
total 48
-rw-r----- 1 keystone keystone 2 Mar 6 15:34 serial.old
-rw-r----- 1 keystone keystone 1920 Mar 6 15:34 openssl.conf
-rw-r----- 1 keystone keystone 0 Mar 6 15:34 index.txt.old
-rw-r----- 1 keystone keystone 887 Mar 6 15:34 cakey.pem
-rw-r--r-- 1 keystone keystone 908 Mar 6 15:34 ca.pem
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
-rw-r--r-- 1 keystone keystone 676 Mar 6 15:34 req.pem
-rw-r--r-- 1 keystone keystone 3 Mar 6 15:34 serial
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 keystone.pem
-rw-r--r-- 1 keystone keystone 20 Mar 6 15:34 index.txt.attr
-rw-r--r-- 1 keystone keystone 64 Mar 6 15:34 index.txt
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 01.pem
drwxr-xr-x 2 keystone keystone 4096 Mar 6 18:05 .
6. My openrc has the following:
#!/bin/sh
export OS_NO_CACHE='true'
export OS_TENANT_NAME='openstack'
export OS_USERNAME='admin'
export OS_PASSWORD='secret'
#export OS_AUTH_URL='https://192.168.255.208:5000/v2.0/'
#export OS_AUTH_TOKEN='keystone_admin_token'
export OS_SERVICE_ENDPOINT='https://192.168.255.208:35357/v2.0/'
export OS_SERVICE_TOKEN='keystone_admin_token'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
7.# keystone --debug role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
REQ: curl -i -X GET https://192.168.255.208:35357/v2.0/OS-KSADM/roles -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: keystone_admin_token"
<attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https://192.168.255.208:35357/v2.0/OS-KSADM/roles)
the same command with --insecure flag works.
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
I've been trying to get SSL enabled in keystone with default certs
genereated from ssl_setup command, but not having much luck.
Here is my setup:
1. Updated the endpoint urls to https:
public_endpoint = https://192.168.255.208:5000/v2.0/
# admin_endpoint = http://localhost:%(admin_port)s/
admin_endpoint = https://192.168.255.208:35357/v2.0/
2. Updated SSL section :
[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/certs/cakey.pem
key_size = 1024
valid_days = 3650
cert_required = False
cert_subject= /C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.255.208
3. restart keystone
4. keystone-manage ssl_setup --keystone-user keystone --keystone-group
keystone
5. # ls -lart /etc/keystone/ssl/*
/etc/keystone/ssl/private:
total 12
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
drwxr-x--- 2 keystone keystone 4096 Mar 6 15:34 .
-rw-r----- 1 keystone keystone 891 Mar 6 15:34 keystonekey.pem
/etc/keystone/ssl/certs:
total 48
-rw-r----- 1 keystone keystone 2 Mar 6 15:34 serial.old
-rw-r----- 1 keystone keystone 1920 Mar 6 15:34 openssl.conf
-rw-r----- 1 keystone keystone 0 Mar 6 15:34 index.txt.old
-rw-r----- 1 keystone keystone 887 Mar 6 15:34 cakey.pem
-rw-r--r-- 1 keystone keystone 908 Mar 6 15:34 ca.pem
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
-rw-r--r-- 1 keystone keystone 676 Mar 6 15:34 req.pem
-rw-r--r-- 1 keystone keystone 3 Mar 6 15:34 serial
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 keystone.pem
-rw-r--r-- 1 keystone keystone 20 Mar 6 15:34 index.txt.attr
-rw-r--r-- 1 keystone keystone 64 Mar 6 15:34 index.txt
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 01.pem
drwxr-xr-x 2 keystone keystone 4096 Mar 6 18:05 .
-
6. My openrc has the following:
#!/bin/sh
export OS_NO_CACHE='true'
export OS_TENANT_NAME='openstack'
export OS_USERNAME='admin'
- export OS_PASSWORD='Cisco123'
+ export OS_PASSWORD='secret'
#export OS_AUTH_URL='https://192.168.255.208:5000/v2.0/'
#export OS_AUTH_TOKEN='keystone_admin_token'
export OS_SERVICE_ENDPOINT='https://192.168.255.208:35357/v2.0/'
export OS_SERVICE_TOKEN='keystone_admin_token'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
7.# keystone --debug role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
REQ: curl -i -X GET https://192.168.255.208:35357/v2.0/OS-KSADM/roles -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: keystone_admin_token"
<attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https://192.168.255.208:35357/v2.0/OS-KSADM/roles)
the same command with --insecure flag works.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1289343
Title:
enabling SSL config in keystone not working with ssl_setup certs
Status in OpenStack Identity (Keystone):
New
Bug description:
I've been trying to get SSL enabled in keystone with default certs
genereated from ssl_setup command, but not having much luck.
Here is my setup:
1. Updated the endpoint urls to https:
public_endpoint = https://192.168.255.208:5000/v2.0/
# admin_endpoint = http://localhost:%(admin_port)s/
admin_endpoint = https://192.168.255.208:35357/v2.0/
2. Updated SSL section :
[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/certs/cakey.pem
key_size = 1024
valid_days = 3650
cert_required = False
cert_subject= /C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.255.208
3. restart keystone
4. keystone-manage ssl_setup --keystone-user keystone --keystone-group
keystone
5. # ls -lart /etc/keystone/ssl/*
/etc/keystone/ssl/private:
total 12
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
drwxr-x--- 2 keystone keystone 4096 Mar 6 15:34 .
-rw-r----- 1 keystone keystone 891 Mar 6 15:34 keystonekey.pem
/etc/keystone/ssl/certs:
total 48
-rw-r----- 1 keystone keystone 2 Mar 6 15:34 serial.old
-rw-r----- 1 keystone keystone 1920 Mar 6 15:34 openssl.conf
-rw-r----- 1 keystone keystone 0 Mar 6 15:34 index.txt.old
-rw-r----- 1 keystone keystone 887 Mar 6 15:34 cakey.pem
-rw-r--r-- 1 keystone keystone 908 Mar 6 15:34 ca.pem
drwxr-xr-x 4 keystone keystone 4096 Mar 6 15:34 ..
-rw-r--r-- 1 keystone keystone 676 Mar 6 15:34 req.pem
-rw-r--r-- 1 keystone keystone 3 Mar 6 15:34 serial
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 keystone.pem
-rw-r--r-- 1 keystone keystone 20 Mar 6 15:34 index.txt.attr
-rw-r--r-- 1 keystone keystone 64 Mar 6 15:34 index.txt
-rw-r--r-- 1 keystone keystone 2842 Mar 6 15:34 01.pem
drwxr-xr-x 2 keystone keystone 4096 Mar 6 18:05 .
6. My openrc has the following:
#!/bin/sh
export OS_NO_CACHE='true'
export OS_TENANT_NAME='openstack'
export OS_USERNAME='admin'
export OS_PASSWORD='secret'
#export OS_AUTH_URL='https://192.168.255.208:5000/v2.0/'
#export OS_AUTH_TOKEN='keystone_admin_token'
export OS_SERVICE_ENDPOINT='https://192.168.255.208:35357/v2.0/'
export OS_SERVICE_TOKEN='keystone_admin_token'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
7.# keystone --debug role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
REQ: curl -i -X GET https://192.168.255.208:35357/v2.0/OS-KSADM/roles -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: keystone_admin_token"
<attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https://192.168.255.208:35357/v2.0/OS-KSADM/roles)
the same command with --insecure flag works.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1289343/+subscriptions
Follow ups
References
