yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

PKI Tokens are deprecated, this is not something we're likely to fix due
to the deprecation and low priority.

** Changed in: keystone
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1361441

Title:
  better handling for expired signing_cert.pem

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  While working on Barbican, I noted failing user authentications even
  though I have a valid token.  I had to debug the openssl calls to see
  that the root cause was an expired signing_cert.pem file.

  Tracked this down to my keystone server, but had a hard time finding
  out how to resolve this situation.  Asked on IRC and a launchpad bug
  was suggested, so here it is.

  I think there are actually 2 issues here:

  1) some doc on how to handle expired certs - maybe just a paragraph in
  troubleshooting about using keystone_manage and also cleaning up
  client caches.

  2) better ffdc (first failure data capture) so that the user (Barbican
  in this case) will see that the root cause was an expired cert rather
  than just a failed authentication.

  
  I also found this (slightly) related question in ask.openstack:

  https://ask.openstack.org/en/question/6402/keystone-ssl-certificate-
  expires-after-one-year/

  and

  http://www.blackmesh.com/blog/openstack-refusing-authentication-psh

  Thanks!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1361441/+subscriptions