swift stopped working after changing pki and enabling keystone ssl

asked 2015-07-23 03:50:41 -0600

deeghuge gravatar image

Hello, I was playing around swift with keystone v3 and pki. It was working fine. Swift stat was showing the correct output.

When I modified the setup little, keystone is running on ssl and pki keys are changed from previous configuration.

After change in configuration, I made required changes in proxy-server.conf but now i am getting following error with swift but the keystone is working file.

Authorization Failure. Authorization failed: Unable to establish connection to https://node:35357/v3/auth/tokens

Following error are seen in the logs in the logs of proxy server.

proxy-server: Using /tmp/keystone-signing-swift as cache directory for signing certificate
proxy-server: Authorization failed for token
proxy-server: Invalid user token - rejecting request

The authtoken section from proxy-server.conf

paste.filter_factory = keystonemiddleware.auth_token:filter_factory
admin_tenant_name = service
admin_user = swift
admin_password = password
signing_dir = /tmp/keystone-signing-swift
auth_host = node
auth_protocol = https
auth_port = 35357
insecure = false
cafile = /etc/keystone/ssl/certs/ssl_cacert.pem

I also tried deleting the /tmp/keystone-signing-swift and then restart proxy-service but no luck.

But one thing i noticed is after multiple restart /tmp/keystone-signing-swift is empty ? This is only when keystone is on ssl. With no ssl configuration there were 3 files ?

What i am missing here ?

Also i have few query about the swift to keystone connection ? 1. when swift contact the keystone ? 2. How to check if proxy-server is not able to contact keystone ? what happens if keystone is not reachable ? 3. When signing certificate are download by swift ? What is those are not downloaded ?

Thanks in advance.

edit retag flag offensive close merge delete


Juno or Kilo? It looks like Juno based on your [filter:authtoken]. kilo install guide has different options for [filter:authtoken] than are listed in kilo config-reference. Anyone want to commit to one of them??? Or admit to where the [filter:authtoken] ssl options are hiding?

Stephanie Fuller gravatar imageStephanie Fuller ( 2015-07-30 11:42:35 -0600 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2015-07-28 08:24:59 -0600

deeghuge gravatar image

It was not working because of following two reasons

  1. auth_host in proxy-server.conf was not matching with the CN of ssl certificate
  2. Swift user did not had permission to read /etc/keystone/ssl/certs/ssl_cacert.pem.

I was not able to locate the issue because of limited logging. I am able to figure out the issue only when i added the manual logging into keystonemiddleware and keystoneclient.

Now swift is working with keystone(ssl) after fixing both the problems. :)

edit flag offensive delete link more

answered 2015-07-23 05:25:34 -0600

foexle gravatar image


  • Check if you can connect to Keystone from your Swift Proxy
  • Check if the Keystone service is running correctly
  • Check if your Keystone endpoint is correct (https)

Cheers Heiko

edit flag offensive delete link more


Thanks for reply, Keystone and proxy are running on same server. Keystone service is running and endpoint are configured correctly

  | public    | https://node:5000/v3   
  | internal  | https://node:35357/v3 
  | admin     | https://node:35357/v3

Swift's endpoint are http only.

deeghuge gravatar imagedeeghuge ( 2015-07-23 06:44:04 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-07-23 03:50:41 -0600

Seen: 434 times

Last updated: Jul 28 '15