Ask Your Question
1

Devstack with SSL

asked 2014-08-18 15:12:56 -0600

barakme gravatar image

Is it possible to configure devstack to use SSL?

I could not find clear instructions about this. Reading through stack.sh, it seems like enabling the tls-proxy in the localrc configuration should do it, but when I run stack.sh, it fails with: "keystone did not start"

edit retag flag offensive close merge delete

Comments

Have you searched this site before posting this question? https://ask.openstack.org/en/question... and https://ask.openstack.org/en/question... and more

smaffulli gravatar imagesmaffulli ( 2014-08-18 17:36:44 -0600 )edit

I have, extensively. All of the questions that appear there either refer to specific services (keystone, not all services), refer to old versions of openstack and the instructions are not relevant or assume the existence of signed certificates or an external CA.

barakme gravatar imagebarakme ( 2014-08-19 01:18:49 -0600 )edit

@barakme the short answer to your question is: Yes, it's possible. The documentation is sparse though. Expand your question as you keep debugging and make it more specific so people can help you

smaffulli gravatar imagesmaffulli ( 2014-08-19 17:46:33 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-02-05 06:29:39 -0600

LZ gravatar image
You can configure endpoints to use SSL natively or via proxy

Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.

To enable SSL via proxy, in local.conf add

**ENABLED_SERVICES+=,tls-proxy**

This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.

To enable SSL natively, in local.conf add:

**USE_SSL=True**

Native SSL by default will also use the devstack-generate root 
and subordinate CA.

You can override this on a per-service basis by setting

<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca

You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-08-18 15:12:56 -0600

Seen: 1,900 times

Last updated: Feb 05 '15