Ask Your Question
0

how to change keystone endpoint URLs to https

asked 2015-07-15 16:49:56 -0500

Stephanie Fuller gravatar image

updated 2015-07-15 18:38:55 -0500

sunnyarora gravatar image

I am running openstack/keystone/swift on centos 7. I am adding ssl to openstack/keystone/swift.

I edited /etc/keystone/keystone.conf [signing] section to include parameters for generating key & certs with 'keystone-manage pki_setup'.

I generated key & certs and added them to /etc/httpd/conf.d/wsgi-keystone.conf, ports 5000 & 35357.

I installed mod_ssl to apache and used openssl to make certs for port 443. Not quite sure that was necessary???

I edited /etc/keystone/proxy-swift.conf to change the [filter:authtoken] section to have auth_uri & auth_url be https://<ip>:port, and I added 'insecure = True'

The one thing I have not been able to change is the endpoints in keystone.

When I hit the IP:ports in Firefox, after accepting the untrusted certificate, I get OK.

But when I try to use openstack command, I get InsecurePlatformWarning as follows:

(openstack) user list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ERROR: openstack SSL exception connecting to https://controller:35357/v3/auth/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Following is the environment I set:

[root@swift ~]# cat admins-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=**************
export OS_AUTH_URL=https://controller:35357/v3

I followed the suggestion in urllib3... to upgrade to python from 2.7.5 to 2.7.9, (download source, make, make install, then changed the link in /usr/bin/python to point to python 2.7.9 - breaks openstack-swift-proxy service)

So, what have I overlooked? How can I get the endpoints changed in keystone? Does 'insecure = True' even do anything in swift-proxy? Would this all be fixed if I got real certs???

Thanks in advance for any insight.

edit retag flag offensive close merge delete

Comments

Oops, that was /etc/swift/proxy-swift.conf for the [filter:authtoken] stuff...

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-15 17:07:45 -0500 )edit

Check 

$ pip install requests[security]

or 

$ pip install pyopenssl ndg-httpsclient pyasn1

For Ubuntu need dependency

$ apt-get install libffi-dev libssl-dev
sunnyarora gravatar imagesunnyarora ( 2015-07-15 18:53:10 -0500 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-07-15 20:58:22 -0500

nethawk gravatar image

You can look this page: http://docs.openstack.org/developer/k...

edit flag offensive delete link more

Comments

Thank you nethawk, I have already done what is outlined in the Certificates for PKI section of this page. I used keystone-manage to generate key/cert after configuring the paths & options in keystone.conf. I then put the keys in the wsgi_keystone.conf file under apache.

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-16 16:27:41 -0500 )edit

I thought that the [ssl] section of keystone.conf was depricated along with eventlet. So, I did not put the keys from keystone-manage pki_setup there. The pink warning box where your like opens says "When running keystone in a web server... the options in this section have no effect."

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-16 16:30:41 -0500 )edit

Is your keystone running in aparch? If it is not, you need configure the [ssl] section.

nethawk gravatar imagenethawk ( 2015-07-16 20:16:19 -0500 )edit

Hi,

I have just completed changing Keystone to SSL in RDO Kilo. I have documented this on my github page

https://github.com/compendius/openstack-rdo-kilo-ssl (https://github.com/compendius/opensta...)

I have used HAproxy for SSL termination as it simplifies things

compendius gravatar imagecompendius ( 2015-07-17 08:52:32 -0500 )edit

nethawk - I am going to assume you meant 'apache'. yes, If I understand the docs and have done it correctly, I am running keystone on apache. However, something does not work, so I have clearly NOT understood or done it correctly.

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-17 09:08:38 -0500 )edit
see more comments
0

answered 2015-07-30 12:00:35 -0500

Stephanie Fuller gravatar image

In case anyone is interested...

So, my original question was how to change the endpoints in keystone. I had a problem because I had already turned on SSL with wsgi-keystone. So, I recall ??? that I turned SSLEngine off in apache in the wsgi-keystone file. I also realized I could use the token from original install. So I used the token to authenticate to openstack/keystone from the command line to delete/create endpoints. This involved editing /usr/share/keystone/keystone-dist-paste.ini to add admin_token_auth in [pipeline:public_api], [pipeline:admin_api] & [pipeline:api-v3].

edit flag offensive delete link more

Comments

Hi ... I am really interested in understanding how you were able to overcome this, I am also challenged by installing ssl into openstack swift. Can you give a brief overview of your final configuration? many thanks in advance :)

SyCode7 gravatar imageSyCode7 ( 2016-07-18 06:55:24 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

4 followers

subscribe to rss feed

Stats

Asked: 2015-07-15 16:49:56 -0500

Seen: 10,203 times

Last updated: Jul 30 '15

Related questions

keystone ssl error

Got an error during installation of Kilo " error in setup command: Error parsing /opt/stack/keystone/setup.cfg: ImportError: No module named testrepository"

How to setup Keystone with Https

Horizon throws unauthorized 403 error for cloud admin in domain setup

Keystone - Unable to establish connection

Change keystone token backend from SQL to memcached

Domain admin can access entities out of scope

dashboard authentication problem [closed]

keystone HTTP 500 error

How to Add multiple ip inside allowed-address-pairs