yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58023
[Bug 1635259] [NEW] Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
Public bug reported:
I have a fresh installation of OpenStack Newton based on Ubuntu 16.04. I
am using Ceph Object Gateway as object storage implementation which
regularly makes the following call "GET
http://controller:5000/v3/auth/tokens/OS-PKI/revoked";.
This call causes the following exception in the log of Keystone:
2016-10-20 14:30:33.764 13934 INFO keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] GET http://os-identity:5000/v3/auth/tokens/OS-PKI/revoked
2016-10-20 14:30:33.889 13934 ERROR keystoneclient.common.cms [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 225, in __call__
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi result = method(req, **params)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 164, in inner
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 590, in revocation_list
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CONF.signing.keyfile)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 325, in cms_sign_text
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi signing_key_file_name, message_digest=message_digest)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 373, in cms_sign_data
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi raise subprocess.CalledProcessError(retcode, 'openssl')
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CalledProcessError: Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi
This is my keystone.conf:
[DEFAULT]
debug = false
# NOTE: log_dir alone does not work for Keystone
log_file = /var/log/keystone/keystone.log
transport_url = rabbit://keystone:XYZ@os-rabbit01:5672,keystone:XYZ@os-rabbit02:5672/openstack
[assignment]
driver = sql
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = os-memcache:11211
[credential]
provider = fernet
key_repository = /etc/keystone/credential-keys
[database]
connection = mysql+pymysql://keystone:XYZ@os-controller/keystone
max_retries = -1
[memcache]
servers = os-memcache:11211
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[token]
driver = sql
provider = uuid
[extra_headers]
Distribution = Ubuntu
I know that with the Newton release a lot of things have been changed
regarding signing and PKI. How can calls to Keystone's revocation list
be handled in the Newton release without a PKI setup?
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
I have a fresh installation of OpenStack Newton based on Ubuntu 16.04. I
am using Ceph Object Gateway as object storage implementation which
regularly makes the following call "GET
http://controller:5000/v3/auth/tokens/OS-PKI/revoked";.
This call causes the following exception in the log of Keystone:
2016-10-20 14:30:33.764 13934 INFO keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] GET http://os-identity:5000/v3/auth/tokens/OS-PKI/revoked
2016-10-20 14:30:33.889 13934 ERROR keystoneclient.common.cms [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 225, in __call__
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi result = method(req, **params)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 164, in inner
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 590, in revocation_list
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CONF.signing.keyfile)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 325, in cms_sign_text
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi signing_key_file_name, message_digest=message_digest)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 373, in cms_sign_data
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi raise subprocess.CalledProcessError(retcode, 'openssl')
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CalledProcessError: Command 'openssl' returned non-zero exit status 3
- 2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi
+ 2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi
This is my keystone.conf:
[DEFAULT]
debug = false
# NOTE: log_dir alone does not work for Keystone
log_file = /var/log/keystone/keystone.log
transport_url = rabbit://keystone:XYZ@os-rabbit01:5672,keystone:XYZ@os-rabbit02:5672/openstack
[assignment]
driver = sql
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = os-memcache:11211
[credential]
provider = fernet
key_repository = /etc/keystone/credential-keys
[database]
connection = mysql+pymysql://keystone:XYZ@os-controller/keystone
max_retries = -1
[memcache]
servers = os-memcache:11211
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[token]
driver = sql
provider = uuid
[extra_headers]
Distribution = Ubuntu
I know that with the Newton release a lot of things have been changed
- regarding signing and PKI. What the approach to handle calls to the
- revocation list?
+ regarding signing and PKI. How can calls to Keystone's revocation list
+ handled in the Newton release?
** Description changed:
I have a fresh installation of OpenStack Newton based on Ubuntu 16.04. I
am using Ceph Object Gateway as object storage implementation which
regularly makes the following call "GET
http://controller:5000/v3/auth/tokens/OS-PKI/revoked";.
This call causes the following exception in the log of Keystone:
2016-10-20 14:30:33.764 13934 INFO keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] GET http://os-identity:5000/v3/auth/tokens/OS-PKI/revoked
2016-10-20 14:30:33.889 13934 ERROR keystoneclient.common.cms [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 225, in __call__
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi result = method(req, **params)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 164, in inner
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 590, in revocation_list
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CONF.signing.keyfile)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 325, in cms_sign_text
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi signing_key_file_name, message_digest=message_digest)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 373, in cms_sign_data
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi raise subprocess.CalledProcessError(retcode, 'openssl')
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CalledProcessError: Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi
This is my keystone.conf:
[DEFAULT]
debug = false
# NOTE: log_dir alone does not work for Keystone
log_file = /var/log/keystone/keystone.log
transport_url = rabbit://keystone:XYZ@os-rabbit01:5672,keystone:XYZ@os-rabbit02:5672/openstack
[assignment]
driver = sql
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = os-memcache:11211
[credential]
provider = fernet
key_repository = /etc/keystone/credential-keys
[database]
connection = mysql+pymysql://keystone:XYZ@os-controller/keystone
max_retries = -1
[memcache]
servers = os-memcache:11211
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[token]
driver = sql
provider = uuid
[extra_headers]
Distribution = Ubuntu
I know that with the Newton release a lot of things have been changed
regarding signing and PKI. How can calls to Keystone's revocation list
- handled in the Newton release?
+ be handled in the Newton release without a PKI setup?
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1635259
Title:
Signing error: Unable to load certificate - ensure you have configured
PKI with "keystone-manage pki_setup"
Status in OpenStack Identity (keystone):
New
Bug description:
I have a fresh installation of OpenStack Newton based on Ubuntu 16.04.
I am using Ceph Object Gateway as object storage implementation which
regularly makes the following call "GET
http://controller:5000/v3/auth/tokens/OS-PKI/revoked";.
This call causes the following exception in the log of Keystone:
2016-10-20 14:30:33.764 13934 INFO keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] GET http://os-identity:5000/v3/auth/tokens/OS-PKI/revoked
2016-10-20 14:30:33.889 13934 ERROR keystoneclient.common.cms [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi [req-fccd6064-2c29-4929-8a68-8b439db14957 924990606827451ca0599a5dcc8fb2ec 76e3b8253287442bac2772138583cde9 - default default] Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 225, in __call__
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi result = method(req, **params)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 164, in inner
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 590, in revocation_list
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CONF.signing.keyfile)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 325, in cms_sign_text
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi signing_key_file_name, message_digest=message_digest)
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py", line 373, in cms_sign_data
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi raise subprocess.CalledProcessError(retcode, 'openssl')
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi CalledProcessError: Command 'openssl' returned non-zero exit status 3
2016-10-20 14:30:33.890 13934 ERROR keystone.common.wsgi
This is my keystone.conf:
[DEFAULT]
debug = false
# NOTE: log_dir alone does not work for Keystone
log_file = /var/log/keystone/keystone.log
transport_url = rabbit://keystone:XYZ@os-rabbit01:5672,keystone:XYZ@os-rabbit02:5672/openstack
[assignment]
driver = sql
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = os-memcache:11211
[credential]
provider = fernet
key_repository = /etc/keystone/credential-keys
[database]
connection = mysql+pymysql://keystone:XYZ@os-controller/keystone
max_retries = -1
[memcache]
servers = os-memcache:11211
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[token]
driver = sql
provider = uuid
[extra_headers]
Distribution = Ubuntu
I know that with the Newton release a lot of things have been changed
regarding signing and PKI. How can calls to Keystone's revocation list
be handled in the Newton release without a PKI setup?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1635259/+subscriptions
Follow ups
