Unable to login after SSL configuration

asked 2017-06-13 07:37:38 -0500

gianpyc gravatar image

I installed openstack through devstack and everything is fine. Now, I tried to configure Horizion to work with HTTPs and I followed the guide: https://docs.openstack.org/juno/config-reference/content/configure-dashboard.html#dashboard-config-https (https://docs.openstack.org/juno/confi...)

I changed a bit some parameters since my configuration was different and the result horizon.conf file under /etc/apache2/sites-available is:

     <VirtualHost *:80>
ServerName HIDED_IP
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://HIDED_IP/
</IfModule>
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /opt/stack/horizon/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    # Apache 2.4 uses mod_authz_host for access control now (instead of
    #  "Allow")
    <IfVersion < 2.4>
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>
<IfVersion >= 2.4>
  ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/horizon_error.log
LogLevel warn
CustomLog /var/log/apache2/horizon_access.log combined </VirtualHost> <VirtualHost *:443>
        ServerName HIDED_IP
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/ssl/openstack.crt
SSLCACertificateFile /etc/apache2/ssl/openstack.crt
SSLCertificateKeyFile /etc/apache2/ssl/openstack.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


Header add Strict-Transport-Security "max-age=15768000"

WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 home=/opt/stack/horizon display-name=%{GROUP}
WSGIApplicationGroup %{GLOBAL}

SetEnv APACHE_RUN_USER stack
SetEnv APACHE_RUN_GROUP stack
WSGIProcessGroup horizon

DocumentRoot /opt/stack/horizon/.blackhole/
Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static
Alias /dashboard/static /opt/stack/horizon/static

RedirectMatch "^/$" "/dashboard/"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /opt/stack/horizon/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    # Apache 2.4 uses mod_authz_host for access control now (instead of
    #  "Allow")
    <IfVersion < 2.4>
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>
<IfVersion >= 2.4>
  ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/horizon_error.log
LogLevel warn
    LogLevel warn
CustomLog /var/log/apache2/horizon_access.log combined
</VirtualHost>

WSGISocketPrefix /var/run/apache2

Also I added the key configuration parameter in the keystone.conf under /etc/apache2/sites-available. Having something like:

<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=stack display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log keystone_combined
SSLEngine On
 SSLCertificateFile /etc/apache2/ssl/openstack.crt
SSLCACertificateFile /etc/apache2/ssl/openstack.crt
SSLCertificateKeyFile /etc/apache2/ssl/openstack.key  
SSLVerifyDepth 1
</VirtualHost>

The keystone.log file of apache says:

AH01906: 127.0.0.1:35357:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
AH01909: 127.0.0.1:35357:0 server certificate does NOT include an ID which matches the server name
AH01906: 127.0.0.1:5000:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
AH01909: 127.0.0.1:5000:0 server certificate does NOT include an ID which matches the server name

The issue is that, I'm able to access ... (more)

edit retag flag offensive close merge delete