Ask Your Question
0

how to change keystone endpoint URLs to https

asked 2015-07-15 16:49:56 -0600

Stephanie Fuller gravatar image

updated 2015-07-15 18:38:55 -0600

sunnyarora gravatar image

I am running openstack/keystone/swift on centos 7. I am adding ssl to openstack/keystone/swift.

I edited /etc/keystone/keystone.conf [signing] section to include parameters for generating key & certs with 'keystone-manage pki_setup'.

I generated key & certs and added them to /etc/httpd/conf.d/wsgi-keystone.conf, ports 5000 & 35357.

I installed mod_ssl to apache and used openssl to make certs for port 443. Not quite sure that was necessary???

I edited /etc/keystone/proxy-swift.conf to change the [filter:authtoken] section to have auth_uri & auth_url be https://<ip>:port, and I added 'insecure = True'

The one thing I have not been able to change is the endpoints in keystone.

When I hit the IP:ports in Firefox, after accepting the untrusted certificate, I get OK.

But when I try to use openstack command, I get InsecurePlatformWarning as follows:

(openstack) user list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ERROR: openstack SSL exception connecting to https://controller:35357/v3/auth/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Following is the environment I set:

[root@swift ~]# cat admins-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=**************
export OS_AUTH_URL=https://controller:35357/v3

I followed the suggestion in urllib3... to upgrade to python from 2.7.5 to 2.7.9, (download source, make, make install, then changed the link in /usr/bin/python to point to python 2.7.9 - breaks openstack-swift-proxy service)

So, what have I overlooked? How can I get the endpoints changed in keystone? Does 'insecure = True' even do anything in swift-proxy? Would this all be fixed if I got real certs???

Thanks in advance for any insight.

edit retag flag offensive close merge delete

Comments

Oops, that was /etc/swift/proxy-swift.conf for the [filter:authtoken] stuff...

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-15 17:07:45 -0600 )edit

Check 

$ pip install requests[security]

or 

$ pip install pyopenssl ndg-httpsclient pyasn1

For Ubuntu need dependency

$ apt-get install libffi-dev libssl-dev
sunnyarora gravatar imagesunnyarora ( 2015-07-15 18:53:10 -0600 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-07-15 20:58:22 -0600

nethawk gravatar image

You can look this page: http://docs.openstack.org/developer/k...

edit flag offensive delete link more

Comments

Thank you nethawk, I have already done what is outlined in the Certificates for PKI section of this page. I used keystone-manage to generate key/cert after configuring the paths & options in keystone.conf. I then put the keys in the wsgi_keystone.conf file under apache.

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-16 16:27:41 -0600 )edit

I thought that the [ssl] section of keystone.conf was depricated along with eventlet. So, I did not put the keys from keystone-manage pki_setup there. The pink warning box where your like opens says "When running keystone in a web server... the options in this section have no effect."

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-16 16:30:41 -0600 )edit

Is your keystone running in aparch? If it is not, you need configure the [ssl] section.

nethawk gravatar imagenethawk ( 2015-07-16 20:16:19 -0600 )edit

Hi,

I have just completed changing Keystone to SSL in RDO Kilo. I have documented this on my github page

https://github.com/compendius/openstack-rdo-kilo-ssl (https://github.com/compendius/opensta...)

I have used HAproxy for SSL termination as it simplifies things

compendius gravatar imagecompendius ( 2015-07-17 08:52:32 -0600 )edit

nethawk - I am going to assume you meant 'apache'. yes, If I understand the docs and have done it correctly, I am running keystone on apache. However, something does not work, so I have clearly NOT understood or done it correctly.

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-17 09:08:38 -0600 )edit
see more comments
0

answered 2015-07-30 12:00:35 -0600

Stephanie Fuller gravatar image

In case anyone is interested...

So, my original question was how to change the endpoints in keystone. I had a problem because I had already turned on SSL with wsgi-keystone. So, I recall ??? that I turned SSLEngine off in apache in the wsgi-keystone file. I also realized I could use the token from original install. So I used the token to authenticate to openstack/keystone from the command line to delete/create endpoints. This involved editing /usr/share/keystone/keystone-dist-paste.ini to add admin_token_auth in [pipeline:public_api], [pipeline:admin_api] & [pipeline:api-v3].

edit flag offensive delete link more

Comments

Hi ... I am really interested in understanding how you were able to overcome this, I am also challenged by installing ssl into openstack swift. Can you give a brief overview of your final configuration? many thanks in advance :)

SyCode7 gravatar imageSyCode7 ( 2016-07-18 06:55:24 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

4 followers

subscribe to rss feed

Stats

Asked: 2015-07-15 16:49:56 -0600

Seen: 10,707 times

Last updated: Jul 30 '15

Related questions

Adding ssl to keystone API

Code question on domain config reloads

How to add more Keystone instances and deal with PKI infrastructure?

SSL configuration on mitaka

Glance, nova not working with keystone on SSL

Traceback: HTTP ERROR in Keystone kilo

cinder list error

Keystone through haproxy

Modify keystone id

Select a specific identity endpoint