Ask Your Question

keystone ssl error

asked 2015-05-23 06:45:36 -0500

frz59 gravatar image

Hi there. I want to enable on keystone api. First, I created cert and key by this command :

 keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone

Then in keystone.conf I made these changes:

enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/certs/cakey.pem

Then I restarted all openstack services.

When I want to access to keystone endpoint (by curl command) , I receive this error:

curl: (35) SSL received a record that exceeded the maximum permissible length.

Would anyone help me? I use Openstack RDO KILO.

edit retag flag offensive close merge delete


Please share the curl command.

uts9 gravatar imageuts9 ( 2015-05-23 13:05:45 -0500 )edit

for example :

frz59 gravatar imagefrz59 ( 2015-05-24 02:54:05 -0500 )edit

Can you please run curl (only http) Just to make sure that SSL is enabled.

uts9 gravatar imageuts9 ( 2015-05-24 07:36:35 -0500 )edit

Result of this :

{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "", "rel": "self"}]}}
frz59 gravatar imagefrz59 ( 2015-05-24 23:46:55 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-05-25 00:27:38 -0500

uts9 gravatar image

updated 2015-05-25 00:40:40 -0500

Looks like SSL is not enabled. Therefore you are getting response in http (not in https).

edit flag offensive delete link more


Look at my configuration file:

enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/certs/cakey.pem

it must be enabled.

frz59 gravatar imagefrz59 ( 2015-05-25 00:59:51 -0500 )edit

Can you specify certificate options and try?

curl --cert /etc/keystone/ssl/certs/signing_cert.pem --cacert /etc/keystone/ssl/certs/ca.pem <URL>

with both http and https

uts9 gravatar imageuts9 ( 2015-05-25 02:48:20 -0500 )edit

The result is same as the previous curl requestes. :/

frz59 gravatar imagefrz59 ( 2015-05-26 06:40:41 -0500 )edit

Can someone clarify for me... are the configurations in keystone.conf [signing] and [ssl] for authentication & connection purposes, or only for generating the key/certs? If I have signed cert from a known CA, can/should I specify it there for authentication/connection?

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-30 14:18:32 -0500 )edit

They are for authentication & connection purposes and yes, you have to specify it.

frz59 gravatar imagefrz59 ( 2015-09-02 03:25:38 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-05-23 06:45:36 -0500

Seen: 2,402 times

Last updated: May 25 '15