Ask Your Question
0

Glance with SSL: sslv3 alert handshake failure

asked 2015-08-01 04:19:20 -0600

Black-Pixel gravatar image

Hi, I'm currenty trying to reconfigure a working OpenStack test environment that I've set up using the OpenStack Guide for Ubuntu 14.04 [1]. I want each service so use SSL so the traffic between the nodes is encrypted. Keystone already works using SSL (tested using keystone --insecure endpoint-list). I've used keystone-manage ssl_setup to generate the certs and keys. For now I want to use the same certs and keys for every service. Unfortunately I'm getting the following error with glance:

curl https://ControllerNode.sdn:9292 -k
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

glance --insecure --debug image-list
curl -i -X GET -H ´'User-Agent: python-glanceclient' -H 'Content-Type: application/octet-stream' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'X-Auth-Token: ***' -k --cert None --key None https://ControllerNode.sdn:9292/v1/images/detail?sort_key=name&sort_dir=asc&limit=20
Error finding address for https://ControllerNode.sdn:9292/v1/images/detail?sort_key=name&sort_dir=asc&limit=20: [Errno 1] _ssl.c:510: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

glance-api.conf

...
cert_file = /etc/glance/ssl/certs/keystone.pem
key_file = /etc/glance/ssl/private/keystonekey.pem
ca_file = /etc/glance/ssl/certs/ca.pem
...
registry_client_protocol = https
registry_client_key_file = /etc/glance/ssl/private/keystonekey.pem
registry_client_cert_file = /etc/glance/ssl/certs/keystone.pem
registry_client_ca_file = /etc/glance/ssl/certs/ca.pem
registry_client_insecure = True
...

glance-registry.conf

cert_file = /etc/glance/ssl/certs/keystone.pem
key_file = /etc/glance/ssl/private/keystonekey.pem
ca_file = /etc/glance/ssl/certs/ca.pem

Does anyone happen to know what the problem could be in this case? I'm assuming it is a Glance related problem because Keystone seems to work fine.

Python 2.7.6
curl 7.35.0

[1] http://docs.openstack.org/juno/install-guide/install/apt/content/ch_preface.html (http://docs.openstack.org/juno/instal...)

edit retag flag offensive close merge delete

Comments

I'm experiencing the same error when converting my endpoints to ssl. keystone seems to work ok, but glance, nova, cinder, etc all get this error. Uggh

jkilborn gravatar imagejkilborn ( 2015-11-17 14:01:13 -0600 )edit

glance image-list Error finding address for https://hostname.domain.com:9292/versions (https://hostname.domain.com:9292/vers...): bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)

jkilborn gravatar imagejkilborn ( 2015-11-17 14:01:30 -0600 )edit

1 answer

Sort by » oldest newest most voted
0

answered 2015-11-23 07:09:12 -0600

jkilborn gravatar image

Try commenting out the ca_file = /etc/glance/ssl/certs/ca.pem from the glance-api.conf Having the ca_file line in the config means it will try to do client certificate validation. You likely don't want this. You just want the server to provide a certificate to the client.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-08-01 04:18:37 -0600

Seen: 1,822 times

Last updated: Nov 23 '15