Ask Your Question
0

Horizon hangs while communicating with Keystone over https

asked 2013-03-27 21:28:47 -0600

kj-tanaka gravatar image

Hi,

I'm trying to enable https on Keystone with a self-signed certificate. And right now, keystone and nova clients work fine with --insecure or with registering cacert.pem on the trusted CA list(e.g. /etc/ssl/certs/ca-certificates.crt) on the client side.

However, when I try to login to the Dashboard(Horizon), it just hangs forever. So I added "DEBUG = True" on /etc/openstack-dashboard/local_settings.py, and what I could see on appache error.log is these.

[Wed Mar 27 20:28:23 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin". [Wed Mar 27 20:28:23 2013] [error] unable to retrieve service catalog with token [Wed Mar 27 20:28:23 2013] [error] Traceback (most recent call last): [Wed Mar 27 20:28:23 2013] [error] File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/client.py", line 132, in _extract_service_catalog [Wed Mar 27 20:28:23 2013] [error] endpoint_type='adminURL') [Wed Mar 27 20:28:23 2013] [error] File "/usr/lib/python2.7/dist-packages/keystoneclient/service_catalog.py", line 62, in url_for [Wed Mar 27 20:28:23 2013] [error] raise exceptions.EndpointNotFound('Endpoint not found.') [Wed Mar 27 20:28:23 2013] [error] EndpointNotFound: Endpoint not found. [Wed Mar 27 20:28:23 2013] [error] DEBUG:openstack_auth.backend:Authentication completed for user "admin".

Dashboard is running on the same host as kesytone's. Keystone and nova clients work fine on the host without --insecure option. My question is, does Dashboard check its trusted CA list in a different file? (not /etc/ssl/certs/ca-certificates.crt?) Or is this a problem on my endpoint configuration?

Given http://host1.domain.com as hostname and CN(common name), the endpoint is like this.

publicurl = https://host1.domain.com:$(public_port)s/v2.0 (https://host1.domain.com:$(public_por...) internalurl = https://host1.domain.com:$(admin_port)s/v2.0 (https://host1.domain.com:$(admin_port...) adminurl = https://host1.domain.com:$(admin_port)s/v2.0 (https://host1.domain.com:$(admin_port...)

And I have the follows on my /etc/openstack-dashboard/local_settings.py

OPENSTACK_HOST = "host1.domain.com" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v2.0" % OPENSTACK_HOST OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"

I would really appreciate if someone can help me to get through this issue.

Thanks in advance!

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2013-03-28 03:46:52 -0600

david-lyle gravatar image

The login is happening in the django-openstack-auth module which initializes its own python-keystoneclient connection. You will need to pass in your ca information in that instantiation as well, the file is backend.py. Our solution was to monkey-patch locally the HTTPClient __init__ method in python-keystoneclient client.py to pass in the ca info on every instantiation.

To better debug, add a logger in your local_settings.py for both requests and openstack_auth.

edit flag offensive delete link more
0

answered 2013-03-28 04:47:21 -0600

kj-tanaka gravatar image

Thanks David Lyle, that solved my question.

edit flag offensive delete link more
0

answered 2013-03-28 04:52:35 -0600

kj-tanaka gravatar image

It was my mis config on Cinder /etc/cinder/api-paste.ini . Thanks again!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-03-27 21:28:47 -0600

Seen: 161 times

Last updated: Mar 28 '13