Ask Your Question
0

keystone-nova ssl auth

asked 2015-02-25 23:29:15 -0600

Liam Haworth gravatar image

Afternoon Ask Openstack,

This morning one (of two) of my controller nodes got rebooted and it was fine, but then about a hour ago started denying my API requests saying that the token wasn't valid but I check it off with keystone to find it was valid.

So I deleted all tokens from the database and restarted both keystone and nova, keystone is issuing tokens fine but now nova is throwing this error

WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4
WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token
INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request
INFO nova.osapi_compute.wsgi.server [-] 10.16.16.23 "GET /v2/0ae22a2d4d6c45b39701636bfc40f253/images/detail.json HTTP/1.1" status: 401 len: 194 time: 0.0167048

And from here I have no clue what to do and I can't remake the cluster since it is running production servers.

Thanks for any help,

Liam.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-02-26 04:35:51 -0600

Hi Liam, try UUID instead of PKI. Basically I feel the error is token mismatch, Set token_format=UUID in keystone.conf file, so that we use UUID instaed of PKI for identity.

edit flag offensive delete link more

Comments

I've already tried this but keystone fails to start complaining that token_format is deprecated

Liam Haworth gravatar imageLiam Haworth ( 2015-02-26 15:57:36 -0600 )edit

If you can change to uuid then use the following setting

provider=keystone.token.providers.uuid.Provider

token_format is deprecated

Haneef Ali gravatar imageHaneef Ali ( 2015-02-26 16:21:50 -0600 )edit
0

answered 2015-02-26 00:02:14 -0600

Looks like you are using PKI token and openssl command is failing with exit status 4.

Please look at the error codes reason here : http://www.openssl.org/docs/apps/cms....

In nova.conf, under keystone_auth section, you will have ca cert/signing cert location. Make sure those files still exist and readable.

edit flag offensive delete link more

Comments

cacert.pem, revoked.pem and signing_cert.pem exist in the folder (/var/cache/nova/lib) and are owned by nova

Liam Haworth gravatar imageLiam Haworth ( 2015-02-26 17:06:30 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-25 23:29:15 -0600

Seen: 342 times

Last updated: Feb 26 '15