Ask Your Question
0

keystone-admin-vip/1: SSL handshake failure

asked 2015-02-27 15:23:31 -0600

RedCricket gravatar image

updated 2015-02-27 17:09:32 -0600

Hi,

I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    +----------------------------------+------------+---------+--------------------+
    |                id                |    name    | enabled |       email        |
    +----------------------------------+------------+---------+--------------------+
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | keystone@example.com |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | keystone@example.com |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | keystone@example.com |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | keystone@example.com |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | keystone@example.com |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | keystone@example.com |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | keystone@example.com |
    +----------------------------------+------------+---------+--------------------+
    == Glance images ==
    Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k https://my-ost-rhel7.example.com:35357/v2.0 ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://my-ost-rhel7.example.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?

Update:

Here's the output (shortened for readability) keystone endpoint-list:

----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
                     publicurl                      |                     internalurl                     |                       adminurl                      |            
----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
         https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292
         https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777
 http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s
    https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1
https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s
      https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:35357/v2.0
         https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696
https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-03-02 16:23:49 -0600

RedCricket gravatar image

updated 2015-03-02 16:25:45 -0600

as Haneef pointed out I needed to add ...

admin_endpoint = https://my-ost-rhel7.example.com:35357
public_endpoint = https://my-ost-rhel7.example.com:5000

... to the [DEFAULT] of my /etc/keystone/keystone.conf file as per http://docs.openstack.org/juno/config...

edit flag offensive delete link more
add a comment
1

answered 2015-02-27 16:56:14 -0600

Haneef Ali gravatar image

Check the identity endpoint for identity service in catalog. I beleive it has reference to "http". (i.e) In keystone database, check the endpoint table

edit flag offensive delete link more

Comments

Thanks for the reply Haneef, I have updated my question with the endpoint listing.

RedCricket gravatar imageRedCricket ( 2015-02-27 17:10:28 -0600 )edit

I don't see keystone endpoint in the catalog. Did you miss it? Also if you do keystone --debug user-list or any other keystone command with --debug option, you will see the catalog. Check the endpoints in the catalog.

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:32:21 -0600 )edit
1

Also please check whether you have any entry in public_endpoint, admin_endpoint in keystone.conf. You should not have any entry there. Most probably this is the cause

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:33:10 -0600 )edit

yep that was it!

RedCricket gravatar imageRedCricket ( 2015-03-02 16:24:46 -0600 )edit

You really don't need to add it. If you don't set those varaibles, it will deduce the url from the request which is the correct way to do that unless you want to have the response to have a predefined address

Haneef Ali gravatar imageHaneef Ali ( 2015-03-02 21:52:11 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-02-27 15:23:31 -0600

Seen: 1,144 times

Last updated: Mar 02 '15

Related questions

User/service accounts appear to be configured correctly, but I am getting user not found error. Icehouse on Centos.

Unable to launch demo instance

Glance Scrubber not running

Keystone-manage command not found.

glance image list issue

Magnum - ERROR: Invalid input for field identity/password/user: id or name must be present (HTTP 500)

Converted to raw, but format is now qcow2 ????

authorization failed (keystone logs)

problem when running command

keystone not following config file