Ask Your Question

Horizon hangs while communicating with Keystone over https

asked 2013-03-27 21:28:47 -0500

kj-tanaka gravatar image


I'm trying to enable https on Keystone with a self-signed certificate. And right now, keystone and nova clients work fine with --insecure or with registering cacert.pem on the trusted CA list(e.g. /etc/ssl/certs/ca-certificates.crt) on the client side.

However, when I try to login to the Dashboard(Horizon), it just hangs forever. So I added "DEBUG = True" on /etc/openstack-dashboard/, and what I could see on appache error.log is these.

[Wed Mar 27 20:28:23 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin". [Wed Mar 27 20:28:23 2013] [error] unable to retrieve service catalog with token [Wed Mar 27 20:28:23 2013] [error] Traceback (most recent call last): [Wed Mar 27 20:28:23 2013] [error] File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/", line 132, in _extract_service_catalog [Wed Mar 27 20:28:23 2013] [error] endpoint_type='adminURL') [Wed Mar 27 20:28:23 2013] [error] File "/usr/lib/python2.7/dist-packages/keystoneclient/", line 62, in url_for [Wed Mar 27 20:28:23 2013] [error] raise exceptions.EndpointNotFound('Endpoint not found.') [Wed Mar 27 20:28:23 2013] [error] EndpointNotFound: Endpoint not found. [Wed Mar 27 20:28:23 2013] [error] DEBUG:openstack_auth.backend:Authentication completed for user "admin".

Dashboard is running on the same host as kesytone's. Keystone and nova clients work fine on the host without --insecure option. My question is, does Dashboard check its trusted CA list in a different file? (not /etc/ssl/certs/ca-certificates.crt?) Or is this a problem on my endpoint configuration?

Given as hostname and CN(common name), the endpoint is like this.

publicurl =$(public_port)s/v2.0 ($(public_por...) internalurl =$(admin_port)s/v2.0 ($(admin_port...) adminurl =$(admin_port)s/v2.0 ($(admin_port...)

And I have the follows on my /etc/openstack-dashboard/


I would really appreciate if someone can help me to get through this issue.

Thanks in advance!

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-03-28 03:46:52 -0500

david-lyle gravatar image

The login is happening in the django-openstack-auth module which initializes its own python-keystoneclient connection. You will need to pass in your ca information in that instantiation as well, the file is Our solution was to monkey-patch locally the HTTPClient __init__ method in python-keystoneclient to pass in the ca info on every instantiation.

To better debug, add a logger in your for both requests and openstack_auth.

edit flag offensive delete link more

answered 2013-03-28 04:47:21 -0500

kj-tanaka gravatar image

Thanks David Lyle, that solved my question.

edit flag offensive delete link more

answered 2013-03-28 04:52:35 -0500

kj-tanaka gravatar image

It was my mis config on Cinder /etc/cinder/api-paste.ini . Thanks again!

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-03-27 21:28:47 -0500

Seen: 240 times

Last updated: Mar 28 '13