Ask Your Question
0

[Solved] keystone ssl port closed...Why?

asked 2015-01-26 06:04:57 -0600

New-stack gravatar image

updated 2015-01-29 10:24:54 -0600

hi people, on my enviroment (centos7, openstack modular installation of Juno)i have installed keystone to run behind the httpd server(with https enabled)!

At the moment, if i try to contact a keystone endpoint i recive an conncection error, 

keystone endpoint-list
Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

If i try to scanning the keystone's ports(public/admin) by nmap i obtain that both are closed

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT      STATE  SERVICE
5000/tcp  closed upnp
35357/tcp closed unknown
443/tcp open  https

the firewall service is not used, why i'm in this situation?

Furthermore, about the keystone's endpoint, how can l change the url? Manually from db change http:// to https:// o there is a better way?

Thanks to everyone

_____________UPDATE_____________

To keystone's endpoint (only keystone's endpoint) i set it in mysql at keystone db:

  UPDATE endpoint SET url = REPLACE (url, 'http','https') where legacy_endpoint_id= "KEYSTONE_ID"

In the keystone.conf i've set 

[ssl]
enable = True
certfile = /etc/keystone/ssl/cert/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/cert/ca.pem
cert_required = True

like as doc http://docs.openstack.org/admin-guide...

The service keystone is down, and if i try to restart it, i have this error, but /var/log/keystone.log is empty...

image description

(to enlarge the picture right click and view the image)

Why? :(

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
3

answered 2015-01-26 06:32:04 -0600

bishoy gravatar image

updated 2015-01-26 06:32:51 -0600

First of all you shouldn't change the http to https unless you have configured the keystone to work over ssl. And you'r correct you can hack the database and change the endpoint or you can delete it and recreate it. second thing, do you have the keystone installed and the service up and running?

edit flag offensive delete link more

Comments

UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:00 -0600 )edit
1

The thing is that starting the service is not related to the wrong endpoint. delete the endpoint and recreate it or hack the database. Also check the auth_uri and the protocol to change it to https in the keystone.conf.

bishoy gravatar imagebishoy ( 2015-01-27 03:27:15 -0600 )edit

Thank's... i have this situation:

This is the endpoint list in my db (line 11, 14, 18)

This is my keyston.conf I changed the auth_uri in nova.con f neutron.conf but not in keystone.conf... Is it required?

New-stack gravatar imageNew-stack ( 2015-01-27 04:46:14 -0600 )edit

you need to change it the keystone.conf. Also enabling ssl in the nova.conf will make the nova api communicate over ssl which needs you to change the endpoints of nova to https as well. So for now disable ssl in the nova.conf and try the ssl over keystone only.

bishoy gravatar imagebishoy ( 2015-01-27 05:13:20 -0600 )edit

in the nova.conf the keystone creds and auth protocol need to be https as the keystone is working over ssl now. The ssl part in nova.conf is related to the nova auth protocol for nova it self.

bishoy gravatar imagebishoy ( 2015-01-27 05:14:28 -0600 )edit
see more comments
0

answered 2015-01-26 07:55:07 -0600

Yashpal Beppurana gravatar image

Hey hi, I have few suggestions for you.

  1. Were you able to generate token by following the verification section of keystone as given in documentation to ensure its correct installation. Ex: keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url=http://controller:35357/v2.0 token-get
  2. Have a thorough look on keystone.conf, somewhere you may have committed mistake.
  3. Make sure the status of keystone service is running.
edit flag offensive delete link more

Comments

UPDATE my question

New-stack gravatar imageNew-stack ( 2015-01-26 10:23:07 -0600 )edit

hey man, have a look on this link http://stackoverflow.com/questions/15596370/openstack-keystone-failing-to-start. Hope this answers your question.

Yashpal Beppurana gravatar imageYashpal Beppurana ( 2015-01-26 11:07:27 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-01-26 06:04:57 -0600

Seen: 2,226 times

Last updated: Jan 29 '15

Related questions

keystone via httpd and remote_user

Is it possible to use certificate generated by pki_setup for ssl(https) ?

How to scale keystone

native ssl not working with devstack

swiftclient:RESP STATUS: 403 Forbidden

why my openstackclient doesn't work with keystone v3 API? [closed]

Digest Authentication

This is not a recognized Fernet token

Internal Server Error (HTTP 500)

Error while configuring Keystone