Ask Your Question
0

havana keystone ssl problem

asked 2014-03-23 18:15:14 -0600

bill l gravatar image

updated 2014-03-23 18:21:18 -0600

I have a persistent problem getting Keystone (Havana) SSL working on SuSE 11.3. I've tried the default keystone certs, and self-generated ones (from keystone-manage pki_setup and ssl_setup); modified the [ssl] section of keystone.conf to enable ssl; and tried certs from both locations (/etc/keystone/pki and /etc/keystone/ssl). This one was used after running keystone-manage ssl_setup:

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/ssl_cert.pem
keyfile = /etc/keystone/ssl/private/ssl_key.pem
ca_certs = /etc/keystone/ssl/certs/cacert.pem
ca_key = /etc/keystone/ssl/private/cakey.pem
cert_required = False
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=smw
...
[signing]
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=smw

I'd read that the CN needs to match the auth URL for cert verification, so I've used the hostname ('smw') here rather than localhost. I've recreated the certs in both areas:

keystone-manage ssl_setup --keystone-user openstack-keystone --keystone-group openstack-keystone
keystone-manage pki_setup --keystone-user openstack-keystone --keystone-group openstack-keystone

I restarted the keystone server after every change to keystone.conf. The ssl and pki directories are owned by the service user (openstack-keystone).

After setting these in a client shell:

export OS_SERVICE_TOKEN=ADMIN
export OS_AUTH_URL=https://smw:35357/v3
export OS_SERVICE_ENDPOINT=https://smw:35357/v3

I get this client error:

# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Unable to establish connection to https://smw:35357/v3/users

I get this from openssl:

# openssl s_client -connect smw:35357
CONNECTED(00000003)
depth=0 /C=US/ST=Unset/O=Unset/CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Unset/O=Unset/CN=localhost
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Unset/O=Unset/CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Unset/O=Unset/CN=localhost
   i:/C=US/ST=Unset/L=Unset/O=Unset/CN=smw
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0DCCAbigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEO
MAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEM
MAoGA1UEAwwDc213MB4XDTE0MDMyMzE0MjMxOVoXDTI0MDMyMDE0MjMxOVowQTEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDESMBAG
A1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfvSBb
hs05JYQ6TBnTg7RNPO9y1HScrwGc+EfGKT2yemjwBouzNqdgxGnfN+sCXCN2aRWV
4PL4tzuNpIFmi/ubqwnehM6iC9DO/81ODOH2Ql7y3XJnjMXLML+Hr1HzMul/iAQU
3rhF+ewIgiv6WN2llRAmBk/Jyfilz55hrVAwqwIDAQABo00wSzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBT0QvjB8RESZR5N1eJbKskqgkg8NzAfBgNVHSMEGDAWgBSpGlaz
Oy0/+NNalob/XkCbLw3lqTANBgkqhkiG9w0BAQUFAAOCAQEALLJzZXzsvB7EbYWa
uKRFLaCbYxR8tWRNPSIKRzGCeywPNwX8JmTcCdPJdi4YGge0H99zHlL/AOW7QJvL
YT2lXUFYBHvScWDrvLJsFBJwVENHNk3rQDiyHXc60nOOy9IuD1pld8Ga15bdYMux
w8GkwdKeqsEC2WrOMNKV7XmLOakwNQD7Ix4jXOx5VE50BcV54VFiyCKaQhWU4Vgr
52uQSzmbYMee5sPJcTQNTJXyoI+Pcva+rmC1YjXtu9QhtUSPT6E4ZL4+9bPMDAwX
d0HDVnAASTAlI3pjT0Uc7u/AKAxpvQtgcOMrj/ftzmUtZfgrKoFiGDt49ZWv9z7i
LX/sxQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Unset/O=Unset/CN=localhost
issuer=/C=US/ST=Unset/L=Unset/O=Unset/CN=smw
---
No client certificate CA names sent
---
SSL handshake has read 893 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 311B3416A4EB8F396EB447D8B6914BB412727C51F9D0F52270DC15F1C9C23ADA
    Session-ID-ctx: 
    Master-Key: 77C77BAA29BD7800DC3F88ECF7AB17450FED2DBE061CF686C377E0A6538E573EE1BEEBE5C22A23369B136505DBBEF527
    Key-Arg   : None
    Start Time: 1395616172
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

I get the same errors for v2.0. What am I missing?

This works, but bypasses certificate verification:

# keystone --insecure user-list
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-03-23 19:43:24 -0600

By default SSL clients will verify hostname of the url with CN value in certificate. In your case CN=localhost and  hostname is "smw". It will fail.  

How to verify?
export OS_AUTH_URL=https://localhost:35357/v3 and verify from the node where keystone is running without  --insercure option, it will work since in this case  hostname "localhost" which  will match the CN of the cert.

How to fix it in dev env?
   Create a self signed cert with hostname="smw" and use it.

How to do this is in  production?
  Get a proper cert with CN="domain name of the node which runs keystone"  from public CAs such as "verisign" and use it

edit flag offensive delete link more

Comments

I uncommented enable=True under [ssl], restarted keystone, and tried it. No luck with either name:

# curl https://localhost:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# curl https://smw:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
bill l gravatar imagebill l ( 2014-03-23 20:40:20 -0600 )edit

curl needs to know the path of CA file. Add the option --cacert to curl

curl --cafile /etc/keystone/ssl/certs/cacert.pem

If you use the keystone command line tool, then it sets the correct CA file

Haneef Ali gravatar imageHaneef Ali ( 2014-03-23 21:04:49 -0600 )edit

No luck yet:

# curl --cacert /etc/keystone/ssl/certs/cacert.pem https://smw:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# curl --cacert /etc/keystone/pki/certs/cacert.pem https://smw:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# curl --cacert /etc/keystone/pki/certs/cacert.pem https://localhost:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# curl --cacert /etc/keystone/ssl/certs/cacert.pem https://localhost:35357/v3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

These certs were generated by keystone-manage ssl_setup and pki_setup.

bill l gravatar imagebill l ( 2014-03-23 21:18:51 -0600 )edit

Looks like there is some problem with your certs. As a workaround you can do curl -k or cul -i which is same as --insecure option.

Can you paste the output of openssl s_client -CAfile /etc/keystone/ssl/certs/cacert.pem -connect smw:35357

BTW you only need these 3 options. Other options are required for generating the certs by keystone-manage. Ideally those options should have been part of keystone-manage command instead of conf file.

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/ssl_cert.pem
keyfile = /etc/keystone/ssl/private/ssl_key.pem
ca_certs = /etc/keystone/ssl/certs/cacert.pem
Haneef Ali gravatar imageHaneef Ali ( 2014-03-23 21:45:00 -0600 )edit

Thanks again! Here's the output:

 # openssl s_client -CAfile /etc/keystone/ssl/certs/cacert.pem -connect smw:35357
 CONNECTED(00000003)
  depth=0 /C=US/ST=Unset/O=Unset/CN=smw
                verify error:num=20:unable to get local issuer certificate
                verify return:1
                depth=0 /C=US/ST=Unset/O=Unset/CN=smw
                verify error:num=27:certificate not trusted
                verify return:1
                depth=0 /C=US/ST=Unset/O=Unset/CN=smw
                verify error:num=21:unable to verify the first certificate
                verify return:1
                ---
                Certificate chain
                 0 s:/C=US/ST=Unset/O=Unset/CN=smw
                   i:/C=US/ST=Unset/L=Unset/O=Unset/CN=smw
                ---
                Server certificate
                -----BEGIN CERTIFICATE-----
                MIICyjCCAbKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEO
                MAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEM
                MAoGA1UEAwwDc213MB4XDTE0MDMyMTE4NTYxNFoXDTI0MDMxODE4NTYxNFowOzEL
                MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEMMAoG
                A1UEAwwDc213MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2u7lTdHEvK9lH
                L0Az+LiLzrROfaiOuIBelqv1G5LsfMQ5Ez9TThhilujLGvVNaC17PUNpxPG1KON1
                5D2+L8O5ksrkjZRolOa5GTFkPIwrEBw9iEXiPVsoatZO0legrrkm916crUK93bbV
                X7kX9ADC5MTskzmwmoqqXFV9/YZZlwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1Ud
                DgQWBBR3DbX9e4aOah49CKj/aw4gCwJxazAfBgNVHSMEGDAWgBQlky1KyKBNuTi8
                7/edmVOcX8sIqTANBgkqhkiG9w0BAQUFAAOCAQEANKlZUs9SoM1kFYfKkxmwODJr
                xqlHSj/YIzWqMa5VtnPI0WuykpRWQviEYG9WqCCVprZgZbc9ls5rhKsS7DdJOC94
                480hfkpGyxB/suTTVDZ23V4HRU1RIIRggOYJcJXW6TOdeiKivsX6nxGV8zccNjU1
                0RPvA15WmfMF8at5+QgoMrh/UeHtHNrPuYFBlxQnpJG4mmnrhGnr6xfMMDFfS09i
                5gOlmqRXjdOebBMlo6YBdJ2g7TtZNKpmI1D4uH5qUbnK6DeVMSs+rTgd0wFNfJ9g
                +PfLD4M4WVVnps32X6YMIp8iZ6KPS/e9eZ6g0gh9I5mgqxzvp/a2J/hhezCOhw==
                -----END CERTIFICATE-----
                subject=/C=US/ST=Unset/O=Unset ...
(more)
bill l gravatar imagebill l ( 2014-03-23 22:00:02 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-03-23 18:15:14 -0600

Seen: 2,619 times

Last updated: Mar 23 '14