Ask Your Question

How to replace expired PKI certs using keystone-manage pki_setup and new keystone.conf in Icehouse

asked 2014-12-16 02:45:52 -0500

Environment: OpenStack Icehouse on Ubuntu 14.04

History: Upgraded from Folsom, to Grizzly, to Havana, to Icehouse (so potentially a lot of deprecated stuff in conf files); fairly sure the issue is Keystone PKI related.

Situation: Folsom was working perfectly, and then.... Issues since Icehouse upgrade, particularly Keystone: Glance not authentIcating in CLI and Neutron authentication and Floating IP issues; potentially flawed upgrade attempting repair.

I'm not using SSL, just using (as I understand) internal certs for PKI signing for token auth. I noted that following command:

curl http://localhost:35357/v2.0/certificates/signing

Produces out of date cert:

        Not Before: Jun 16 04:17:59 2013 GMT
        Not After : Jun 16 04:17:59 2014 GMT

I am attempting to recreate certs for PKI signing. I understand that we use:

keystone-manage pki_setup --keystone-user foo --keystone-group bar

to setup the PKI certs for token authentication. Command seems to run (no error), but get no change on cert expiry date. Look in directory and nothing has been touched since creation of certs on June 16 2013:

xx@xxxxx:/etc/keystone/ssl/certs# ls -l
total 40
-rw-rw-r-- 1 keystone keystone 2415 Jun 16  2013 01.pem
-rw-r----- 1 keystone keystone  887 Jun 16  2013 cakey.pem
-rw-r--r-- 1 root     root     1070 Jun 16  2013 ca.pem
-rw-r----- 1 root     root       70 Jun 16  2013 index.txt
-rw-rw-r-- 1 keystone keystone   21 Jun 16  2013 index.txt.attr
-rw-rw-r-- 1 keystone keystone    0 Jun 16  2013 index.txt.old
-rw-r----- 1 root     root     1999 Jun 16  2013 openssl.conf
-rw-rw-r-- 1 keystone keystone  708 Jun 16  2013 req.pem
-rw-r----- 1 root     root        3 Jun 16  2013 serial
-rw-rw-r-- 1 keystone keystone    2 Jun 16  2013 serial.old
-rw-rw-r-- 1 keystone keystone 2415 Jun 16  2013 signing_cert.pem

As you can see from the default perms in /etc/keystone/ssl/certs above, some are owned by root, some are owned by keystone. It is unlcear (and undocumented) that when issuing command:

keystone-manage pki_setup --keystone-user foo --keystone-group bar

...exactly which user/group we ought to use: replacing foo, bar with 'root' or 'keystone' as per above example?

So in writing this question, I (in-part) answered some of my issue with recreating certs. The process to create a new set of certs, while already having them (expired, change-over needed, etc) is as follows:

Stop Keystone:

service keystone stop

Backup cert directories:

rsync -av -i /etc/keystone/ssl/certs /var/backups
rsync -av -i /etc/keystone/ssl/private /var/backups

Start Keystone:

service keystone start

Create certs as per normal:

keystone-manage pki_setup --keystone-user foo --keystone-group bar

Gives the following (edited) response:

2014-12-16 07:54:07.477 8222 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/cakey.pem xxxx
Generating xxx private key, xxxx bit long modulus
2014-12-16 07:54:07.737 8222 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config ...
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-12-16 05:24:39 -0500

Testing has revealed some success as follows (more updates to come):

This helped:

But found success (for ubuntu install) when re-creating certs, use keystone user/group:

keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

Updated keystone.conf [signing] section cert paths to:


Not sure if these paths in the [signing] section are used, but new cert PKI signing is working.

In Icehouse, undocumented (and poorly commented in keystone.conf) requirement that MUST update keystone.conf commented '# provider =' line with:

provider = keystone.token.providers.pki.Provider

This is NEW in the Icehouse release config file and not documented in the Icehouse install guide, but identified here:

Found some (limited) hidden docs for keystone-manage:

Now Keystone and Glance authentication working correctly and will work on Neutron Floating IP issues, which probabaly realte to failed OVS to ML2 neutron db migration due to previous Keystone authentication/token issues.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-12-16 02:45:52 -0500

Seen: 948 times

Last updated: Dec 16 '14