Ask Your Question
0

keystone-admin-vip/1: SSL handshake failure

asked 2015-02-27 15:23:31 -0500

RedCricket gravatar image

updated 2015-02-27 17:09:32 -0500

Hi,

I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    +----------------------------------+------------+---------+--------------------+
    |                id                |    name    | enabled |       email        |
    +----------------------------------+------------+---------+--------------------+
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | keystone@example.com |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | keystone@example.com |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | keystone@example.com |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | keystone@example.com |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | keystone@example.com |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | keystone@example.com |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | keystone@example.com |
    +----------------------------------+------------+---------+--------------------+
    == Glance images ==
    Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k https://my-ost-rhel7.example.com:35357/v2.0 ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://my-ost-rhel7.example.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?

Update:

Here's the output (shortened for readability) keystone endpoint-list:

----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
                     publicurl                      |                     internalurl                     |                       adminurl                      |            
----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
         https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292
         https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777
 http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s
    https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1
https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s
      https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:35357/v2.0
         https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696
https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-03-02 16:23:49 -0500

RedCricket gravatar image

updated 2015-03-02 16:25:45 -0500

as Haneef pointed out I needed to add ...

admin_endpoint = https://my-ost-rhel7.example.com:35357
public_endpoint = https://my-ost-rhel7.example.com:5000

... to the [DEFAULT] of my /etc/keystone/keystone.conf file as per http://docs.openstack.org/juno/config...

edit flag offensive delete link more
add a comment
1

answered 2015-02-27 16:56:14 -0500

Haneef Ali gravatar image

Check the identity endpoint for identity service in catalog. I beleive it has reference to "http". (i.e) In keystone database, check the endpoint table

edit flag offensive delete link more

Comments

Thanks for the reply Haneef, I have updated my question with the endpoint listing.

RedCricket gravatar imageRedCricket ( 2015-02-27 17:10:28 -0500 )edit

I don't see keystone endpoint in the catalog. Did you miss it? Also if you do keystone --debug user-list or any other keystone command with --debug option, you will see the catalog. Check the endpoints in the catalog.

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:32:21 -0500 )edit
1

Also please check whether you have any entry in public_endpoint, admin_endpoint in keystone.conf. You should not have any entry there. Most probably this is the cause

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:33:10 -0500 )edit

yep that was it!

RedCricket gravatar imageRedCricket ( 2015-03-02 16:24:46 -0500 )edit

You really don't need to add it. If you don't set those varaibles, it will deduce the url from the request which is the correct way to do that unless you want to have the response to have a predefined address

Haneef Ali gravatar imageHaneef Ali ( 2015-03-02 21:52:11 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-02-27 15:23:31 -0500

Seen: 889 times

Last updated: Mar 02 '15

Related questions

admin_endpoint in keystone is ignored?

Glance with SSL: sslv3 alert handshake failure

Problem in installing xmlsec module as a dependency for dm.xmlsec.binding/1.0b3 [closed]

No module named simple

Mirantis Fuel SSL for Horizon

block non-admin user to grant admin role

moving keystone to another server

Keystone V3 in Kilo

glance add problem:NotAuthorized: None

show user with role ?