Ask Your Question

keystone-admin-vip/1: SSL handshake failure

asked 2015-02-27 15:23:31 -0500

RedCricket gravatar image

updated 2015-02-27 17:09:32 -0500


I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    |                id                |    name    | enabled |       email        |
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | |
    == Glance images ==
    Unable to establish connection to

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "", "rel": "self"}, {"href": "", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?


Here's the output (shortened for readability) keystone endpoint-list:

                     publicurl                      |                     internalurl                     |                       adminurl                      |            
----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+         |         |         |         | | |    |    |$(tenant_id)s |$(tenant_id)s |$(tenant_id)s       |       |         |         |$(tenant_id)s |$(tenant_id)s |$(tenant_id)s
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-03-02 16:23:49 -0500

RedCricket gravatar image

updated 2015-03-02 16:25:45 -0500

as Haneef pointed out I needed to add ...

admin_endpoint =
public_endpoint =

... to the [DEFAULT] of my /etc/keystone/keystone.conf file as per

edit flag offensive delete link more

answered 2015-02-27 16:56:14 -0500

Check the identity endpoint for identity service in catalog. I beleive it has reference to "http". (i.e) In keystone database, check the endpoint table

edit flag offensive delete link more


Thanks for the reply Haneef, I have updated my question with the endpoint listing.

RedCricket gravatar imageRedCricket ( 2015-02-27 17:10:28 -0500 )edit

I don't see keystone endpoint in the catalog. Did you miss it? Also if you do keystone --debug user-list or any other keystone command with --debug option, you will see the catalog. Check the endpoints in the catalog.

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:32:21 -0500 )edit

Also please check whether you have any entry in public_endpoint, admin_endpoint in keystone.conf. You should not have any entry there. Most probably this is the cause

Haneef Ali gravatar imageHaneef Ali ( 2015-02-27 18:33:10 -0500 )edit

yep that was it!

RedCricket gravatar imageRedCricket ( 2015-03-02 16:24:46 -0500 )edit

You really don't need to add it. If you don't set those varaibles, it will deduce the url from the request which is the correct way to do that unless you want to have the response to have a predefined address

Haneef Ali gravatar imageHaneef Ali ( 2015-03-02 21:52:11 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-02-27 15:23:31 -0500

Seen: 1,018 times

Last updated: Mar 02 '15