Ask Your Question
0

Running Keystone in HTTPD

asked 2015-01-21 10:10:16 -0600

New-stack gravatar image

updated 2015-01-22 08:19:29 -0600

hi people, ...some problem with https....

i'm following this guide http://docs.openstack.org/developer/k... i try to install e config the mod_nss with this step in my env(centos7 httpd juno) before use keystone behind httpd

mod_nss is installed, and in the /etc/httpd/conf.d/nss.conf i have this:

#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin.  It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#


#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
#

###########################################
#Listen 443
Listen 4431
#######################################

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
########################
#NSSPassPhraseDialog  builtin
NSSPassPhraseDialog file:/etc/httpd/password.conf

#   Pass Phrase Helper:
#   This helper program stores the token password pins between
#   restarts of Apache.
#
#   NOTE:  Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'.
#
NSSPassPhraseHelper /usr/libexec/nss_pcache

#   Configure the SSL Session Cache.
#   NSSSessionCacheSize is the number of entries in the cache.
#   NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
#   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400

#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.

NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random  512
#NSSRandomSeed startup file:/dev/urandom 512

#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off

# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
NSSRequireSafeNegotiation off

##
## SSL Virtual Host Context
##

##############################################
#<VirtualHost _default_:8443>
<virtualhost _default_:4431=""> 
##############################################

#   General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
#ServerName www.example.com:8443
#ServerAdmin you@example.com

# mod_nss can log to separate log files, you can choose to do that if you'd like
# LogLevel is not inherited from httpd.conf.
ErrorLog /var/log/httpd/error_log_ssl
TransferLog /var/log/httpd/access_log_ssl
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
<IfModule ...
(more)
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2015-01-22 08:12:19 -0600

New-stack gravatar image

but if certutil tell me that the certificate is valid, then the problem isn't about the ca o some certificates?

edit flag offensive delete link more
0

answered 2015-01-22 00:16:00 -0600

Can you telnet to https://mydomain:4431 ?

If not then your apache server is not configured to listen on that port.

edit flag offensive delete link more

Comments

yes, i can connect with telnet!

Update question...

New-stack gravatar imageNew-stack ( 2015-01-22 04:59:26 -0600 )edit
0

answered 2015-01-22 15:57:06 -0600

updated 2015-01-23 00:31:37 -0600

*openssl s_client -showcerts -connect localhost:4431**
CONNECTED(00000003)
139736715810720:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:

Above error suggests that the endpoint is not running https. (ie) the port is not setup for https but for http

Hit http://mydomain:4431 and it will work

edit flag offensive delete link more

Comments

The https now works... occurred error during the config of nss.conf! But i obtain this error

   keystone endpoint-list
    Authorization Failed: Unable to establish connection to https://controller:35357/v2.0/tokens

o login error in horizon dashboard

PORT      STATE  SERVICE
35357/tcp closed unknown
New-stack gravatar imageNew-stack ( 2015-01-23 08:30:56 -0600 )edit

How i can change the endpoint? Manually from sql keystone.endpoint db?

New-stack gravatar imageNew-stack ( 2015-01-23 08:37:58 -0600 )edit

openstack-keystone is not running... i have open a new post ....

New-stack gravatar imageNew-stack ( 2015-01-26 11:16:50 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-01-21 10:10:16 -0600

Seen: 697 times

Last updated: Jan 23 '15