Ask Your Question

keystone-nova ssl auth

asked 2015-02-25 23:29:15 -0500

Liam Haworth gravatar image

Afternoon Ask Openstack,

This morning one (of two) of my controller nodes got rebooted and it was fine, but then about a hour ago started denying my API requests saying that the token wasn't valid but I check it off with keystone to find it was valid.

So I deleted all tokens from the database and restarted both keystone and nova, keystone is issuing tokens fine but now nova is throwing this error

WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4
WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token
INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request
INFO nova.osapi_compute.wsgi.server [-] "GET /v2/0ae22a2d4d6c45b39701636bfc40f253/images/detail.json HTTP/1.1" status: 401 len: 194 time: 0.0167048

And from here I have no clue what to do and I can't remake the cluster since it is running production servers.

Thanks for any help,


edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-02-26 04:35:51 -0500

Hi Liam, try UUID instead of PKI. Basically I feel the error is token mismatch, Set token_format=UUID in keystone.conf file, so that we use UUID instaed of PKI for identity.

edit flag offensive delete link more


I've already tried this but keystone fails to start complaining that token_format is deprecated

Liam Haworth gravatar imageLiam Haworth ( 2015-02-26 15:57:36 -0500 )edit

If you can change to uuid then use the following setting


token_format is deprecated

Haneef Ali gravatar imageHaneef Ali ( 2015-02-26 16:21:50 -0500 )edit

answered 2015-02-26 00:02:14 -0500

Looks like you are using PKI token and openssl command is failing with exit status 4.

Please look at the error codes reason here :

In nova.conf, under keystone_auth section, you will have ca cert/signing cert location. Make sure those files still exist and readable.

edit flag offensive delete link more


cacert.pem, revoked.pem and signing_cert.pem exist in the folder (/var/cache/nova/lib) and are owned by nova

Liam Haworth gravatar imageLiam Haworth ( 2015-02-26 17:06:30 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-02-25 23:29:15 -0500

Seen: 394 times

Last updated: Feb 26 '15