Ask Your Question
0

[Solved] keystone ssl port closed...Why?

asked 2015-01-26 06:04:57 -0500

New-stack gravatar image

updated 2015-01-29 10:24:54 -0500

hi people, on my enviroment (centos7, openstack modular installation of Juno)i have installed keystone to run behind the httpd server(with https enabled)!

At the moment, if i try to contact a keystone endpoint i recive an conncection error, 

keystone endpoint-list
Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

If i try to scanning the keystone's ports(public/admin) by nmap i obtain that both are closed

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT      STATE  SERVICE
5000/tcp  closed upnp
35357/tcp closed unknown
443/tcp open  https

the firewall service is not used, why i'm in this situation?

Furthermore, about the keystone's endpoint, how can l change the url? Manually from db change http:// to https:// o there is a better way?

Thanks to everyone

_____________UPDATE_____________

To keystone's endpoint (only keystone's endpoint) i set it in mysql at keystone db:

  UPDATE endpoint SET url = REPLACE (url, 'http','https') where legacy_endpoint_id= "KEYSTONE_ID"

In the keystone.conf i've set 

[ssl]
enable = True
certfile = /etc/keystone/ssl/cert/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/cert/ca.pem
cert_required = True

like as doc http://docs.openstack.org/admin-guide...

The service keystone is down, and if i try to restart it, i have this error, but /var/log/keystone.log is empty...

image description

(to enlarge the picture right click and view the image)

Why? :(

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
3

answered 2015-01-26 06:32:04 -0500

bishoy gravatar image

updated 2015-01-26 06:32:51 -0500

First of all you shouldn't change the http to https unless you have configured the keystone to work over ssl. And you'r correct you can hack the database and change the endpoint or you can delete it and recreate it. second thing, do you have the keystone installed and the service up and running?

edit flag offensive delete link more

Comments

UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:00 -0500 )edit
1

The thing is that starting the service is not related to the wrong endpoint. delete the endpoint and recreate it or hack the database. Also check the auth_uri and the protocol to change it to https in the keystone.conf.

bishoy gravatar imagebishoy ( 2015-01-27 03:27:15 -0500 )edit

Thank's... i have this situation:

This is the endpoint list in my db (line 11, 14, 18)

This is my keyston.conf I changed the auth_uri in nova.con f neutron.conf but not in keystone.conf... Is it required?

New-stack gravatar imageNew-stack ( 2015-01-27 04:46:14 -0500 )edit

you need to change it the keystone.conf. Also enabling ssl in the nova.conf will make the nova api communicate over ssl which needs you to change the endpoints of nova to https as well. So for now disable ssl in the nova.conf and try the ssl over keystone only.

bishoy gravatar imagebishoy ( 2015-01-27 05:13:20 -0500 )edit

in the nova.conf the keystone creds and auth protocol need to be https as the keystone is working over ssl now. The ssl part in nova.conf is related to the nova auth protocol for nova it self.

bishoy gravatar imagebishoy ( 2015-01-27 05:14:28 -0500 )edit
see more comments
0

answered 2015-01-26 07:55:07 -0500

Yashpal Beppurana gravatar image

Hey hi, I have few suggestions for you.

  1. Were you able to generate token by following the verification section of keystone as given in documentation to ensure its correct installation. Ex: keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url=http://controller:35357/v2.0 token-get
  2. Have a thorough look on keystone.conf, somewhere you may have committed mistake.
  3. Make sure the status of keystone service is running.
edit flag offensive delete link more

Comments

UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:07 -0500 )edit

hey man, have a look on this link http://stackoverflow.com/questions/15596370/openstack-keystone-failing-to-start. Hope this answers your question.

Yashpal Beppurana gravatar imageYashpal Beppurana ( 2015-01-26 11:07:27 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-01-26 06:04:57 -0500

Seen: 2,055 times

Last updated: Jan 29 '15

Related questions

admin_endpoint in keystone is ignored?

keystone ssl certificate expires after one year

Change Keystone Admin Pass [closed]

The resource could not be found

packstack installation fails with mysql access denied error

Is there a reseller admin role for swift under keystone?

problem with keystone-manage db_sync

How to debug tests?

How to disable a tenant in keystone(essex4)

how to get an openstack token and validate it?