ERROR keystonemiddleware.auth_token

asked 2014-12-10 16:29:49 -0500

kjtanaka gravatar image

I'm working on enabling SSL on OpenStack APIs on Juno version. I have enabled Keystone API successfully and updated endpoints from HTTP to HTTPS. So Keystone Client CLI works fine. However, I'm having a trouble finding out the right parameters on nova.conf. I tried both cafile=/etc/keystone/ssl/certs/ca.pem and insecure=true, but I get this error on nova-api.log.

ERROR keystonemiddleware.auth_token [-] HTTP connection exception: [Errno 185090050] _ssl.c:344: error:0B084002:x509 certificate routines:X509 _load_cert_crl_file:system lib

I'm referring ths link --> http://docs.openstack.org/juno/config-reference/content/list-of-compute-config-options.html, and my nova.conf's keystone_authtoken options are like this.

[keystone_authtoken]
..
auth_uri = https://myhost.example.com:5000/v2.0
identity_uri = https://myhost.example.com:35357
admin_tenant_name = service
admin_user = nova
admin_password = ***********
cafile=/etc/keystone/ssl/certs/ca.pem
#insecure = true

Does anyone know what I am missing?

Thanks in advance!

edit retag flag offensive close merge delete

Comments

First try without cafile option , but with insecure set to true. If that works, check the permission of ca.pem

Haneef Ali gravatar imageHaneef Ali ( 2014-12-11 10:21:44 -0500 )edit

Thank you for your suggestion. Insecure works now. Does this permission look incorrect? "-rw-r--r-- 1 keystone keystone 948 Dec 10 15:45 /etc/keystone/ssl/certs/ca.pem"

kjtanaka gravatar imagekjtanaka ( 2014-12-11 11:36:33 -0500 )edit

I found out that it would be simpler just to add /etc/keystone/ssl/certs/ca.pem on /usr/share/ca-certificates as a trusted CA. This way I don't need to dig around the right parameters such as, cafile, ca_certificates_file, insecure, api_insecure. I'll get InCommon cert if the test goes well. Thanks.

kjtanaka gravatar imagekjtanaka ( 2014-12-11 13:47:01 -0500 )edit