Ask Your Question
1

how to configure SSL for keystone

asked 2015-03-31 10:24:59 -0500

darren-wang gravatar image

updated 2015-03-31 10:25:51 -0500

I want to try SSL feature of keystone, so I used

keystone-manage ssl_setup

to generate the keys and certs, and configured my keystone.conf like this:

[ssl]
enable=true
certfile=/etc/keystone/ssl/certs/keystone.pem
keyfile=/etc/keystone/ssl/private/keystonekey.pem
ca_certs=/etc/keystone/ssl/certs/ca.pem
ca_key=/etc/keystone/ssl/private/cakey.pem
cert_required=false
key_size=2048
valid_days=3650
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=202.303.***.***

All these files do exist on the place configured and I'm sure the user have enough permission, but when I set "enable=true" and start Keystone server, It won't answer to any request, its log file(DEBUG level) only prints all the configuration options during startup and never changes again.

And when I use keystoneclient to send command, the client just echo nothing, I have to use Ctrl+C to stop keystoneclient. Worse even, nothing more appears in keystone's log file during this whole period.

When I turn off by setting "enable=false", everything goes normal, this is so weird and I don't even have log data to see where is wrong.

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2015-04-02 03:10:17 -0500

nethawk gravatar image

After you set enable=true,you must change your requests from "http" to "https".And you must change the url both in envioroment and config files of other components.

The cert_required means if keystone check the correction of cert file sent from client. If it is set to "false",keystone will not check.

edit flag offensive delete link more

Comments

Seems you are right. Can you specify what options do I need to change? I changed my environment like this: export OS_AUTH_URL=https://controller1:35357/v2.0 and my keystone.conf liek this : public_endpoint=https://... admin_endpoint=https://... [ssl] enable = true TO BE CONTINUED

darren-wang gravatar imagedarren-wang ( 2015-04-02 04:46:14 -0500 )edit

But then I got this:

Authorization Failed: SSL exception connecting to https://controller1:35357/v2.0
darren-wang gravatar imagedarren-wang ( 2015-04-02 04:46:57 -0500 )edit

How did you send request? Change controller1 to the IP included in cert_subject. Then try it again.

nethawk gravatar imagenethawk ( 2015-04-02 05:05:46 -0500 )edit
0

answered 2015-03-31 10:38:46 -0500

what about the parameter 'cert_required=false' http://docs.openstack.org/admin-guide... I see it set to true in this example, does modifying that to true and restarting keystone provide any different results?

edit flag offensive delete link more

Comments

I didn't try it, but my client doesn't have cert files, maybe I should generate cert files for the client and test it like you said.

darren-wang gravatar imagedarren-wang ( 2015-04-01 04:17:02 -0500 )edit
0

answered 2015-09-02 04:07:59 -0500

Ahmed Morgan gravatar image

I have the same issue, followed many link after googled with no luck

DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://cntrl.domain.local:35357/v2.0/tokens (https://cntrl.domain.local:35357/v2.0...) INFO:urllib3.connectionpool:Starting new HTTPS connection (1): cntrl.domain.local Authorization Failed: SSL exception connecting to https://cntrl.domain.local:35357/v2.0/tokens (https://cntrl.domain.local:35357/v2.0...)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-03-31 10:24:59 -0500

Seen: 8,320 times

Last updated: Sep 02 '15