Ask Your Question
0

Keystone with SSL does not seem to work on Grizzly

asked 2013-04-23 16:44:01 -0600

alfredcs gravatar image

Tried to enable SSL for Keystone on Grizzly. Here is the configuration.

On /etc/keystone/keystone.conf ... [ssl] enable = True certfile = /etc/keystone/ssl/certs/signing_cert.pem keyfile = /etc/keystone/ssl/private/signing_key.pem ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com ....

Verified all *.pem files are in place and correct. Restarted keystone-all and ports 5000 and 35357 are up.

The following ENVS have been defined on the client side.

root@control:/etc/keystone# env | grep OS OS_PASSWORD=password OS_CERT=/etc/keystone/ssl/certs/signing_cert.pem OS_AUTH_URL=http://127.0.0.1:5000/v2.0 OS_USERNAME=admin OS_TENANT_NAME=demo OS_KEY=/etc/keystone/ssl/private/signing_key.pem OS_CACERT=/etc/keystone/ssl/certs/ca.pem

Tried to run keystone client but it hanged... no error was thrown

root@control:/etc/keystone# keystone --debug user-list REQ: curl -i http://127.0.0.1:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" REQ BODY: {"auth": {"tenantName": "demo", "passwordCredentials": {"username": "admin", "password": "password"}}} ... .. ...

Tried to run curl but it hanged as well.

root@control:/etc/keystone# curl --cert /etc/keystone/ssl/certs/signing_cert.pem --cacert /etc/keystone/ssl/certs/ca.pem http://127.0.0.1:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" {"auth": {"tenantName": "demo", "passwordCredentials": {"username": "admin", "password": "password"}}}

<hang>....

Your assistance is greatly appreciated.

edit retag flag offensive close merge delete

7 answers

Sort by ยป oldest newest most voted
0

answered 2013-04-23 17:33:54 -0600

kj-tanaka gravatar image

Hi,

What do you get if you try --os-auth-url https://127.0.0.1:5000/v2.0/tokens instead of http://127.0.0.1:5000/v2.0/tokens ? You would probably need to update the OS_AUTH_URL on your rc file.

Bests,

edit flag offensive delete link more
0

answered 2013-04-23 19:27:38 -0600

alfredcs gravatar image

After changed to https as suggested it displayed "Authorization Failed". Please see following messages. Meanwhile openssl displayed correct server cert.

root@control:~# keystone --debug user-list REQ: curl -i https://127.0.0.1:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" REQ BODY: {"auth": {"tenantName": "demo", "passwordCredentials": {"username": "admin", "password": "password"}}}

(eventlet.wsgi.server): 2013-04-23 12:23:40,543 DEBUG wsgi write (32415) accepted ('127.0.0.1', 45733)

Authorization Failed: (HTTP Unable to establish connection to https://127.0.0.1:5000/v2.0/tokens) root@control:~# root@control:~#

root@control:~# openssl s_client -connect localhost:5000 CONNECTED(00000003) depth=0 C = US, ST = Unset, O = Unset, CN = http://www.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Unset, O = Unset, CN = http://www.example.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = Unset, O = Unset, CN = http://www.example.com verify error:num=21:unable to verify the first certificate verify return:1 (eventlet.wsgi.server): 2013-04-23 12:24:14,694 DEBUG wsgi write (32415) accepted ('127.0.0.1', 45734)


Certificate chain 0 http://s:/C=US/ST=Unset/O=Unset/CN=www.example.com (s:/C=US/ST=Unset/O=Unset/CN=www.examp...)

http://i:/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com (i:/C=US/ST=Unset/L=Unset/O=Unset/CN=w...)

Server certificate -----BEGIN CERTIFICATE----- MIICzTCCAjagAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEO MAwGA1UECBMFVW5zZXQxDjAMBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEY MBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMB4XDTEzMDQyMjE5MDc0N1oXDTIzMDQy MDE5MDc0N1owRzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQK EwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDo2haPef7LSbZWdjdahqE6OmNTKoLQfY2p5Kn5Yw/01vFF NS+kDsj+ZJgFRihhS7VioxX+zOqGIBXIw38+D7u3pipERZ5+u5IxBbg88DsDw6BM Azg0D+u1ZEpYblILM4xgr4/7OqChDSS73j5yHs/g2umklEE7Lnp0SGPezowsXwID AQABo4G4MIG1MAkGA1UdEwQCMAAwHQYDVR0OBBYEFGnCB4LU/7rBshtrkqZ7osS4 NnnCMIGIBgNVHSMEgYAwfoAUdu2yRiw7296qR+K3eHQ4hsEli+OhW6RZMFcxCzAJ BgNVBAYTAlVTMQ4wDAYDVQQIEwVVbnNldDEOMAwGA1UEBxMFVW5zZXQxDjAMBgNV BAoTBVVuc2V0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb22CCQDmihg8bNUsPzAN BgkqhkiG9w0BAQUFAAOBgQApd1twa0H8hl2VDDSVDBaUmLaKdXzDAmWcbcaE2YLD cnbQm+RRfLvKQOtL5WcpaYdJrGkhg6QMny6a5M+GXGA6Y9/qbCqOj9vRE4gPAN6W ItBHTdGtAQcOCxg2LP8FyRNeEApwA74SN1yM0xGj2UO0eRfuRg/YaF0ssxImaJ2U OA== -----END CERTIFICATE----- http://subject=/C=US/ST=Unset/O=Unset/CN=www.example.com (subject=/C=US/ST=Unset/O=Unset/CN=www...)

http://issuer=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com (issuer=/C=US/ST=Unset/L=Unset/O=Unset...)

No client certificate CA names sent

SSL handshake has read 1058 bytes and written 440 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.1 Cipher : AES256-SHA Session-ID: F95160319636D97BFA4D7EB53E9A1CBA2E0D9219DE244F2FFF04AC00041BE994 Session-ID-ctx: Master-Key: 17068D9DC7ED2F8EBCB240153AE7A2592ACC29803F3DCC36E8C49DE3C00C4026BDEED43D6B81DE9E0205E37219902A74 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 8a c4 ca 63 23 03 7d a0-ea 85 9a 28 37 98 49 1e ...c#.}....(7.I. 0010 - e4 35 16 8d b0 19 7b df-42 17 94 f4 47 3e ab 55 .5....{.B...G>.U 0020 - 6b 1d b6 07 9f 62 2b 7b-d0 83 38 82 cd 1f e4 f9 k....b+{..8..... 0030 - 58 3a 2f 9c 0b 56 43 fe-40 8d 72 69 04 a3 f6 26 X:/..VC.@.ri...& 0040 - e7 b4 b5 12 c6 52 98 92-a3 8b 3d af 7e 07 e7 7d .....R....=.~..} 0050 - 0d 05 7f 3a 09 ...

(more)
edit flag offensive delete link more
0

answered 2013-04-24 03:10:09 -0600

In my env, when ssl is enabled, use HTTPS to visit, it worked as expected, but if I change back to visit by using HTTP, curl hangs, I'm using command like:

curl -k -H "X-Auth-Token:ADMIN" http://localhost:35357/v2.0/tokens/9e33ce48b9ade32258a62ccbbee7dc10 (http://localhost:35357/v2.0/tokens/9e...)

while using

curl -k -H "X-Auth-Token:ADMIN" https://localhost:35357/v2.0/tokens/9e33ce48b9ade32258a62ccbbee7dc10 (https://localhost:35357/v2.0/tokens/9...)

is ok, is that possibly a bug?

edit flag offensive delete link more
0

answered 2013-04-24 06:17:44 -0600

alfredcs gravatar image

My take is that if SSL is enabled then curl should go by https as a norm. The issue I am having now is that keystone returns "Authorization Failed" even with https. BTW from the token format it seems to me that you are on Folsom, unless the token configuration in keystone.conf had been tweaked. Right? Can you post your keystone.conf if possible?

edit flag offensive delete link more
0

answered 2013-04-25 02:04:29 -0600

here is my keystone.conf, I'm using devstack

[DEFAULT] admin_token = ADMIN log_dir = /var/log/keystone

[sql] connection = mysql://root:010638@localhost/keystone?charset=utf8

[catalog] driver = keystone.catalog.backends.sql.Catalog [token] driver = keystone.token.backends.sql.Token

[ec2] driver = keystone.contrib.ec2.backends.sql.Ec2

[ssl] enable = True certfile = /etc/keystone/ssl/certs/signing_cert.pem keyfile = /etc/keystone/ssl/private/signing_key.pem ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[signing] token_format = PKI #token_format = PKI certfile = /etc/keystone/ssl/certs/signing_cert.pem keyfile = /etc/keystone/ssl/private/signing_key.pem ca_certs = /etc/keystone/ssl/certs/ca.pem key_size = 1024 valid_days = 3650 ca_password = None cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[auth] methods = password,token password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token

[filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

[filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory

[filter:sizelimit] paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory

[filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

[filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

[filter:access_log] paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory

[app:public_service] paste.app_factory = keystone.service:public_app_factory

[app:service_v3] paste.app_factory = keystone.service:v3_app_factory

[app:admin_service] paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api] pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api] pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[pipeline:api_v3] pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3

[app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api] pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api] pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service

[composite:main] use = egg:Paste#urlmap /v2.0 = public_api /v3 = api_v3 / = public_version_api

[composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api /v3 = api_v3 / = admin_version_api

edit flag offensive delete link more
0

answered 2013-06-04 06:59:19 -0600

Hi Alfred Shen ,

I am also facing same issue but it got resolved by giving the export SERVICE_ENDPOINT=http://10.10.56.19:35357/v2.0/ export SERVICE_TOKEN=ADMIN as a environment variables.

please paste your creds file here.

Regards, Bhavani Prasad.

edit flag offensive delete link more
0

answered 2013-10-28 15:19:12 -0600

kj-tanaka gravatar image

You guys would probably already have resolved this issue, but I leave some comment for people who will have the same issue.

Common Name is important for SSL. If the CN and the SERVICE_ENDPOINT are different, you will probably need to recreate your certificate with the same hostname + domain name. Something like http://CN=host.yoursite.org and SERVICE_ENDPOINT=http://host.yoursite.org:35357/v2.0/

Another good thing to know is, it looks Havana provides an easy way to setup SSL. Here's how I figured it out.

https://github.com/kjtanaka/havana_startup/wiki/How-to-enable-ssl-on-keystone (https://github.com/kjtanaka/havana_st...)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-04-23 16:44:01 -0600

Seen: 188 times

Last updated: Oct 28 '13