Ask Your Question

[Solved] keystone ssl port closed...Why?

asked 2015-01-26 06:04:57 -0500

New-stack gravatar image

updated 2015-01-29 10:24:54 -0500

hi people, on my enviroment (centos7, openstack modular installation of Juno)i have installed keystone to run behind the httpd server(with https enabled)!

At the moment, if i try to contact a keystone endpoint i recive an conncection error,

keystone endpoint-list
Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

If i try to scanning the keystone's ports(public/admin) by nmap i obtain that both are closed

Nmap scan report for localhost (
Host is up (0.00011s latency).
Other addresses for localhost (not scanned):
5000/tcp  closed upnp
35357/tcp closed unknown
443/tcp open  https

the firewall service is not used, why i'm in this situation?

Furthermore, about the keystone's endpoint, how can l change the url? Manually from db change http:// to https:// o there is a better way?

Thanks to everyone


To keystone's endpoint (only keystone's endpoint) i set it in mysql at keystone db:

  UPDATE endpoint SET url = REPLACE (url, 'http','https') where legacy_endpoint_id= "KEYSTONE_ID"

In the keystone.conf i've set

enable = True
certfile = /etc/keystone/ssl/cert/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/cert/ca.pem
cert_required = True

like as doc

The service keystone is down, and if i try to restart it, i have this error, but /var/log/keystone.log is empty...

image description

(to enlarge the picture right click and view the image)

Why? :(

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-01-26 06:32:04 -0500

bishoy gravatar image

updated 2015-01-26 06:32:51 -0500

First of all you shouldn't change the http to https unless you have configured the keystone to work over ssl. And you'r correct you can hack the database and change the endpoint or you can delete it and recreate it. second thing, do you have the keystone installed and the service up and running?

edit flag offensive delete link more


UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:00 -0500 )edit

The thing is that starting the service is not related to the wrong endpoint. delete the endpoint and recreate it or hack the database. Also check the auth_uri and the protocol to change it to https in the keystone.conf.

bishoy gravatar imagebishoy ( 2015-01-27 03:27:15 -0500 )edit

Thank's... i have this situation:

This is the endpoint list in my db (line 11, 14, 18)

This is my keyston.conf I changed the auth_uri in nova.con f neutron.conf but not in keystone.conf... Is it required?

New-stack gravatar imageNew-stack ( 2015-01-27 04:46:14 -0500 )edit

you need to change it the keystone.conf. Also enabling ssl in the nova.conf will make the nova api communicate over ssl which needs you to change the endpoints of nova to https as well. So for now disable ssl in the nova.conf and try the ssl over keystone only.

bishoy gravatar imagebishoy ( 2015-01-27 05:13:20 -0500 )edit

in the nova.conf the keystone creds and auth protocol need to be https as the keystone is working over ssl now. The ssl part in nova.conf is related to the nova auth protocol for nova it self.

bishoy gravatar imagebishoy ( 2015-01-27 05:14:28 -0500 )edit

answered 2015-01-26 07:55:07 -0500

Hey hi, I have few suggestions for you.

  1. Were you able to generate token by following the verification section of keystone as given in documentation to ensure its correct installation. Ex: keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url=http://controller:35357/v2.0 token-get
  2. Have a thorough look on keystone.conf, somewhere you may have committed mistake.
  3. Make sure the status of keystone service is running.
edit flag offensive delete link more


UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:07 -0500 )edit

hey man, have a look on this link Hope this answers your question.

Yashpal Beppurana gravatar imageYashpal Beppurana ( 2015-01-26 11:07:27 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-01-26 06:04:57 -0500

Seen: 2,663 times

Last updated: Jan 29 '15