admin_endpoint in keystone is ignored?

asked 2014-08-18 10:54:06 -0500

f1gless gravatar image

updated 2014-08-18 14:50:50 -0500


I'm attempting to configure keystone behind a haproxy that is terminating ssl. For the public URL, I have this working by setting 'public_endpoint' in my keystone config to 'https://fqdn-of-floating-ip:5000'.

When trying the same haproxy configuration and using attempting to configure 'admin_endpoint' in keystone.conf I run into issues.

I can't run any keystone related client calls. For example:

$ keystone user-list WARNING:urllib3.connectionpool:Retrying (0 attempts remain) after connection broken by 'BadStatusLine('',)': /v2.0/endpoints

If I browse to https://fqdn-of-floating-ip:5000 I can see the XML correctly displays the link ie:

href="https://fdn-of-floating-ip:5000/v3/" rel="self"
href="https://fdn-of-floating-ip:5000/v2.0/" rel="self"
. This is what I would expect to see.

If I browse to the admin port ( https://fqdn-of-floating-ip:35357 ) the XML shows exactly the same link as the public interface (port 5000). This is NOT what I expect to see :)

No matter what I set 'admin_endpoint' to I cannot see any changes within keystone. Has anyone configured behind SSL terminated haproxy? Any suggestions? Running keystone with verbose = True and debug = True does not help.

For completeness the relevant portion of my haproxy.cfg is as follows:

frontend keystone_admin
  bind ssl crt /etc/haproxy/
  default_backend  keystone_admin_backend
  option  forwardfor
  option  http-server-close
  reqadd  X-Forwarded-Proto:\ https

backend keystone_admin_backend
  balance  source
  mode  http
  option  forwardfor
  option  http-server-close
  redirect  scheme https if !{ ssl_fc }
  server check inter 2000 rise 2 fall 5
  server check inter 2000 rise 2 fall 5

The xml I see if I browse https://fqdn-of-floating-ip:5000 I see the following:

href="https://fdn-of-floating-ip:5000/v3/" rel="self" href="https://fdn-of-floating-ip:5000/v2.0/" rel="self"

Browsing to https://fqdn-of-floating-ip:35357 shows exactly the same

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-08-18 11:58:17 -0500

updated 2014-08-18 15:33:53 -0500

Can you add few more detais to your question?

1) If you browse to the link what do you see?
2) What is the endpoint used for  keystone user-list command

One thing you are missing is, you need to have catalog populated with https endpoint.

Update 1:

   1) You don't need to set public  or admin endpoint in config. If you don't then it will use from the host url.
   2)  What is the endpoint used for  keystone user-list command? Is it  https or http?
   3) Please also post your url from endpoint table in keystone.

Don't add anything in config file. Just add the https endpoint as identity endpoint in mysql. Make sure keystore client uses https endpoint.

Do you want https only for admin endpoint? ( as per your haproxy.cfg). If that is the case, just populate admin endpoint for identity service with https endpoint.

edit flag offensive delete link more


Hello Ali,

Thanks for your reply. I've updated my original post to be more clear (due to my formatting some content wasn't displayed).

I have configured the admin endpoint for keystone to be


f1gless gravatar imagef1gless ( 2014-08-18 14:53:16 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-08-18 10:54:06 -0500

Seen: 433 times

Last updated: Aug 18 '14