Ask Your Question
0

issue when I using PKI for token format [closed]

asked 2014-03-05 20:13:37 -0500

chen-li gravatar image

Hi,

I'm working under CentOS 6.4 + Havana, my keystone version is:

      openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana

When I run command "keystone user-list", I get error:

     Authorization Failed: Unable to sign token. (HTTP 500)

I can get error information in both "keystone-startup.log" and "keystone.log":

  2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
  2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
  2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.

Anyone know why this happened ???

Thanks.

-chen

My /etc/keystone/keystone.conf :

  [DEFAULT]
  [sql]
  connection = mysql://keystone:keystone@host-db/keystone
  [identity]
  [credential]
  [trust]
  [os_inherit]
  [catalog]
  driver = keystone.catalog.backends.sql.Catalog
  [endpoint_filter]
  [token]
  driver = keystone.token.backends.memcache.Token
  [cache]
  [policy]
  [ec2]
  [assignment]
  [oauth1]
  [ssl]
  [signing]
  [ldap]
  [auth]
  methods = external,password,token,oauth1
  password = keystone.auth.plugins.password.Password
  token = keystone.auth.plugins.token.Token
  oauth1 = keystone.auth.plugins.oauth1.OAuth
  [paste_deploy]
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by chen-li
close date 2014-03-06 23:54:55.775866

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-03-05 21:18:41 -0500

updated 2014-03-05 23:49:37 -0500

  1. Run keystone-manage pki_setup to generate signing certs.
  2. The parameters to keystone-mange pki-setup are unix user and group name. You can get that by running "id" command.
  3. pki-setup will generate sining files at /etc/keystone. Given below are the default settings
[signing]
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem

It should work if you have the files at that location. If not please paste the error

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-05 20:13:37 -0500

Seen: 1,677 times

Last updated: Mar 05 '14