Ask Your Question
0

SSL problem on SAIO instance

asked 2011-06-21 22:07:26 -0500

Hello,

We have a working SAIO 1.3 instance on which we are trying to enable SSL access (e.g., to be able to access the instance from Cyberduck). We are basically trying to follow section 5.1.1 of the OpenStack Object Storage Administration Manual (Cactus).

After making the modifications specified by section 5.1.1, we performed the following:

1) resetswift 2) remakerings 3) startmain

However, when we try to invoke recreateaccounts, it fails. In fact, if we just try to run the swauth-prep command (i,e, "swauth-prep -K swauthkey"), we get the following error:

Traceback (most recent call last): File "/usr/bin/swauth-prep", line 56, in <module> ssl=(parsed.scheme == 'https')) File "/usr/lib/pymodules/python2.6/swift/common/bufferedhttp.py", line 168, in http_connect_raw conn.endheaders() File "/usr/lib/python2.6/httplib.py", line 904, in endheaders self._send_output() File "/usr/lib/python2.6/httplib.py", line 776, in _send_output self.send(msg) File "/usr/lib/python2.6/httplib.py", line 735, in send self.connect() File "/usr/lib/pymodules/python2.6/swift/common/bufferedhttp.py", line 80, in connect return HTTPConnection.connect(self) File "/usr/lib/python2.6/httplib.py", line 716, in connect self.timeout) File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection raise error, msg socket.error: [Errno 111] ECONNREFUSED

Here are the contents of our proxy-server.conf file:

[DEFAULT] bind_port = 443 user = meter log_facility = LOG_LOCAL1

cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key

[pipeline:main] pipeline = healthcheck cache swauth proxy-server

[app:proxy-server] use = egg:swift#proxy allow_account_management = true

[filter:swauth] use = egg:swift#swauth

Highly recommended to change this.

super_admin_key = swauthkey

[filter:healthcheck] use = egg:swift#healthcheck

[filter:cache] use = egg:swift#memcache

We are wondering if we made an error in the process of enabling SSL or if it is even possible to enable SSL on an SAIO instance.

Any help someone can provide would be greatly appreciated!

Thanks, Flint

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2011-06-22 14:47:52 -0500

btorch gravatar image

Hi Flint, the problem here is that swauth-prep and any other swauth command will try to use the default ADMIN_URL which is "http://127.0.0.1:8080/auth/". Since you are now using SSL you need to specify the -A flag with the command. Try running "swauth-prep -K swauthkey -A https://127.0.0.1/auth/%22 (https://127.0.0.1/auth/") and then adding an admin user with "swauth-add-user -K swauthkey -A https://127.0.0.1/auth/ -a swiftops swiftops swiftops" ....

Please note that I'm assuming here that your ADMIN_KEY is indeed "swauthkey".

root@saio-2:~# swauth-prep --help Usage: swauth-prep [options]

Options: -h, --help show this help message and exit -A ADMIN_URL, --admin-url=ADMIN_URL The URL to the auth subsystem (default: http://127.0.0.1:8080/auth/ -U ADMIN_USER, --admin-user=ADMIN_USER The user with admin rights to add users (default: .super_admin). -K ADMIN_KEY, --admin-key=ADMIN_KEY The key for the user with admin rights to add users.

edit flag offensive delete link more
0

answered 2011-06-22 17:00:58 -0500

Thanks for your help Marcelo!

Those changes got us beyond the ECONNREFUSED error and the swauth-prep command completes successfully.

However, with the addition of the "-A https://127...%22 (https://127...") change, the swauth-add-user command fails with "Account creation failed: 500 Server Error" and "User creation failed: 500 Server Error" errors.

The specific command is:

swauth-add-user -K swauthkey -A https://127.0.0.1/auth -a test tester testing

We additionally tried appending "/v1" and "/v1.0" to the IP address of the command and got "Account creation failed: 400 Bad Request" and "User creation failed: 400 Bad Request" errors.

The specific commands we tried were:

swauth-add-user -K swauthkey -A https://127.0.0.1/auth/v1 -a test tester testing

swauth-add-user -K swauthkey -A https://127.0.0.1/auth/v1.0 -a test tester testing

Thanks in advance for any additional help you can provide, Flint

edit flag offensive delete link more
0

answered 2011-06-22 21:08:53 -0500

btorch gravatar image

Hi Flint,

Try adding the following to the [filter:swauth] section of the proxy-server.conf and restart swift.

default_swift_cluster = local#https://127.0.0.1/v1

Also, you will need to modify the storage url for accounts created prior to the SSL setup if you still would like to use them. Please check on swauth-set-account-service --help for information/example on how to change that.

edit flag offensive delete link more
0

answered 2011-06-22 22:43:03 -0500

Thanks Marcelo...that was the last stumbling block for us!

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-06-21 22:07:26 -0500

Seen: 103 times

Last updated: Jun 22 '11