Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

issue when I using PKI for token format

Hi,

I'm working under CentOS 6.4 + Havana, my keystone version is:

      openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana

When I run command "keystone user-list", I get error:

     Authorization Failed: Unable to sign token. (HTTP 500)

I can get error information in both "keystone-startup.log" and "keystone.log":

  2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
  2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
  2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
  2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.

Anyone know why this happened ???

Thanks.

-chen

My /etc/keystone/keystone.conf :

  [DEFAULT]
  [sql]
  connection = mysql://keystone:keystone@host-db/keystone
  [identity]
  [credential]
  [trust]
  [os_inherit]
  [catalog]
  driver = keystone.catalog.backends.sql.Catalog
  [endpoint_filter]
  [token]
  driver = keystone.token.backends.memcache.Token
  [cache]
  [policy]
  [ec2]
  [assignment]
  [oauth1]
  [ssl]
  [signing]
  [ldap]
  [auth]
  methods = external,password,token,oauth1
  password = keystone.auth.plugins.password.Password
  token = keystone.auth.plugins.token.Token
  oauth1 = keystone.auth.plugins.oauth1.OAuth
  [paste_deploy]