Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

rdo ssl issue: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I've installed from RDO.

When I try to run swift list

    $ swift list 
Account GET failed: https://192.168.100.30/v1/AUTH_9eaf98abb5254492b0acedcc6585d4f0?format=json
     401 Unauthorized  [first 60 chars ofresponse] <html><h1>Unauthorized</h1><p>This server could not verify t

On the swift proxy I get:

Apr  7 16:08:09 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:10 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:11 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: Authorization failed for token 656cdba006064507927452b6c0430f8f
Apr  7 16:08:13 swift-proxy-01 proxy-server: Invalid user token - deferring reject downstream

Is it a problem with how keystone-manage ssl_setup works in the RDO version maybe?

rdo ssl issue: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I've installed from RDO.

When I try to run swift list

    $ swift list 
Account GET failed: https://192.168.100.30/v1/AUTH_9eaf98abb5254492b0acedcc6585d4f0?format=json
     401 Unauthorized  [first 60 chars ofresponse] <html><h1>Unauthorized</h1><p>This server could not verify t

On the swift proxy I get:

Apr  7 16:08:09 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:10 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:11 swift-proxy-01 proxy-server: Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr  7 16:08:13 swift-proxy-01 proxy-server: Authorization failed for token 656cdba006064507927452b6c0430f8f
Apr  7 16:08:13 swift-proxy-01 proxy-server: Invalid user token - deferring reject downstream

Is it a problem with how keystone-manage ssl_setup works in the RDO version maybe?

UPDATE:

(this is a test system so showing tokens is ok)

If I take the cacert from the keystone server and put it onto the proxy server and use that with keystone, keystone is Ok without the --insecure.

Seems like I have to tell swift-proxy to allow insecure certs?

[root@swift-proxy-01 swift]# keystone --os-cacert ~/ca.pem token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-04-10T22:37:27Z       |
|     id    | ef6e4e7930754188af35d8350ac85a23 |
| tenant_id | 9eaf98abb5254492b0acedcc6585d4f0 |
|  user_id  | 4b5abb3a1e9a423a921903a15d47f3ad |
+-----------+----------------------------------+
[root@swift-proxy-01 swift]# keystone token-get
Authorization Failed: Unable to establish connection to https://192.168.100.50:35357/v2.0/tokens