Ask Your Question
0

keystone-admin-vip/1: SSL handshake failure

asked 2015-02-27 15:23:31 -0600

RedCricket gravatar image

updated 2015-02-27 17:09:32 -0600

Hi,

I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    +----------------------------------+------------+---------+--------------------+
    |                id                |    name    | enabled |       email        |
    +----------------------------------+------------+---------+--------------------+
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | keystone@example.com |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | keystone@example.com |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | keystone@example.com |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | keystone@example.com |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | keystone@example.com |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | keystone@example.com |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | keystone@example.com |
    +----------------------------------+------------+---------+--------------------+
    == Glance images ==
    Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k https://my-ost-rhel7.example.com:35357/v2.0 ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://my-ost-rhel7.example.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?

Update:

Here's the output (shortened for readability) keystone endpoint-list:

----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
                     publicurl                      |                     internalurl                     |                       adminurl                      |            
----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
         https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292
         https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777
 http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s
    https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1
https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s
      https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:35357/v2.0
         https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696
https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-03-02 16:23:49 -0600

RedCricket gravatar image

updated 2015-03-02 16:25:45 -0600

as Haneef pointed out I needed to add ...

admin_endpoint = https://my-ost-rhel7.example.com:35357
public_endpoint = https://my-ost-rhel7.example.com:5000

... to the [DEFAULT] of my /etc/keystone/keystone.conf file as per http://docs.openstack.org/juno/config...

edit flag offensive delete link more
add a comment
1

answered 2015-02-27 16:56:14 -0600

Haneef Ali gravatar image

Check the identity endpoint for identity service in catalog. I beleive it has reference to "http". (i.e) In keystone database, check the endpoint table

edit flag offensive delete link more

Comments

Thanks for the reply Haneef, I have updated my question with the endpoint listing.

RedCricket gravatar imageRedCricket ( 2015-02-27 17:10:28 -0600 )edit

I don't see keystone endpoint in the catalog. Did you miss it? Also if you do keystone --debug user-list or any other keystone command with --debug option, you will see the catalog. Check the endpoints in the catalog.

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:32:21 -0600 )edit
1

Also please check whether you have any entry in public_endpoint, admin_endpoint in keystone.conf. You should not have any entry there. Most probably this is the cause

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:33:10 -0600 )edit

yep that was it!

RedCricket gravatar imageRedCricket ( 2015-03-02 16:24:46 -0600 )edit

You really don't need to add it. If you don't set those varaibles, it will deduce the url from the request which is the correct way to do that unless you want to have the response to have a predefined address

Haneef Ali gravatar imageHaneef Ali ( 2015-03-02 21:52:11 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-02-27 15:23:31 -0600

Seen: 776 times

Last updated: Mar 02 '15

Related questions

how to change keystone endpoint URLs to https

[Solved] keystone ssl port closed...Why?

Glance, nova not working with keystone on SSL

New Instance gets always into error status [closed]

Can't create project inside newly created domain

keystone user-role-add - Usage error

Glance on Mitaka - change endpoint for better performance

Keystone authentication to public/admin port and scoped/unscoped token

Keystone High Availability

glance 401 unauththorized