← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1361441] [NEW] better handling for expired signing_cert.pem

 

Public bug reported:

While working on Barbican, I noted failing user authentications even
though I have a valid token.  I had to debug the openssl calls to see
that the root cause was an expired signing_cert.pem file.

Tracked this down to my keystone server, but had a hard time finding out
how to resolve this situation.  Asked on IRC and a launchpad bug was
suggested, so here it is.

I think there are actually 2 issues here:

1) some doc on how to handle expired certs - maybe just a paragraph in
troubleshooting about using keystone_manage and also cleaning up client
caches.

2) better ffdc (first failure data capture) so that the user (Barbican
in this case) will see that the root cause was an expired cert rather
than just a failed authentication.


I also found this (slightly) related question in ask.openstack:

https://ask.openstack.org/en/question/6402/keystone-ssl-certificate-
expires-after-one-year/

and

http://www.blackmesh.com/blog/openstack-refusing-authentication-psh

Thanks!!

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1361441

Title:
  better handling for expired signing_cert.pem

Status in OpenStack Identity (Keystone):
  New

Bug description:
  While working on Barbican, I noted failing user authentications even
  though I have a valid token.  I had to debug the openssl calls to see
  that the root cause was an expired signing_cert.pem file.

  Tracked this down to my keystone server, but had a hard time finding
  out how to resolve this situation.  Asked on IRC and a launchpad bug
  was suggested, so here it is.

  I think there are actually 2 issues here:

  1) some doc on how to handle expired certs - maybe just a paragraph in
  troubleshooting about using keystone_manage and also cleaning up
  client caches.

  2) better ffdc (first failure data capture) so that the user (Barbican
  in this case) will see that the root cause was an expired cert rather
  than just a failed authentication.

  
  I also found this (slightly) related question in ask.openstack:

  https://ask.openstack.org/en/question/6402/keystone-ssl-certificate-
  expires-after-one-year/

  and

  http://www.blackmesh.com/blog/openstack-refusing-authentication-psh

  Thanks!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1361441/+subscriptions


Follow ups

References