Ask Your Question

keystone, cert_required and nova

asked 2014-05-08 09:41:20 -0500

dulek gravatar image

I'm trying to configure Keystone in my OpenStack setup to use SSL. I'm currently playing with cert_required flag in keystone.conf:

enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True

Unfortunately if it's set to True I'm unable to connect to nova using it's CLI client:

SSLError: [Errno 1] _ssl.c:504: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

In keystone CLI client I can specify --os-key and --os-cert options to do a proper SSL handshake and then it works. These options are missing in nova CLI client. How can I use cert_required option with nova? Maybe the option is prepared to be used in other scenarios?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-05-08 12:26:01 -0500

updated 2014-05-27 10:38:14 -0500

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you using signing certs for ssl setup?. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I also don't think keystone implements 2 way ssl feature correctly.

This is how normally client certs will be implemented. Don't expect any of these feature in OS services

Normally  the parameter will have 3 options . 
cert_required = no           // Server doesn't expect client cert
cert_required = optional   // If the client sends cert, then the server will use it
cert_required = yes   //  Cert is mandatory and the client has to send it

How  can you use client cert  in OS services?
   Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token. 
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-05-08 09:41:20 -0500

Seen: 623 times

Last updated: May 27 '14