how to change keystone endpoint URLs to https
I am running openstack/keystone/swift on centos 7. I am adding ssl to openstack/keystone/swift.
I edited /etc/keystone/keystone.conf [signing] section to include parameters for generating key & certs with 'keystone-manage pki_setup'.
I generated key & certs and added them to /etc/httpd/conf.d/wsgi-keystone.conf, ports 5000 & 35357.
I installed mod_ssl to apache and used openssl to make certs for port 443. Not quite sure that was necessary???
I edited /etc/keystone/proxy-swift.conf to change the [filter:authtoken] section to have auth_uri & auth_url be https://<ip>:port, and I added 'insecure = True'
The one thing I have not been able to change is the endpoints in keystone.
When I hit the IP:ports in Firefox, after accepting the untrusted certificate, I get OK.
But when I try to use openstack command, I get InsecurePlatformWarning as follows:
(openstack) user list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
ERROR: openstack SSL exception connecting to https://controller:35357/v3/auth/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Following is the environment I set:
[root@swift ~]# cat admins-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=**************
export OS_AUTH_URL=https://controller:35357/v3
I followed the suggestion in urllib3... to upgrade to python from 2.7.5 to 2.7.9, (download source, make, make install, then changed the link in /usr/bin/python to point to python 2.7.9 - breaks openstack-swift-proxy service)
So, what have I overlooked? How can I get the endpoints changed in keystone? Does 'insecure = True' even do anything in swift-proxy? Would this all be fixed if I got real certs???
Thanks in advance for any insight.
Oops, that was /etc/swift/proxy-swift.conf for the [filter:authtoken] stuff...
Check
or
For Ubuntu need dependency