Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

keystone, cert_required and nova

I'm trying to configure Keystone in my OpenStack setup to use SSL. I'm currently playing with cert_required flag in keystone.conf:

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True

Unfortunately if it's set to True I'm unable to connect to nova using it's CLI client:

SSLError: [Errno 1] _ssl.c:504: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

In keystone CLI client I can specify --os-key and --os-cert options to do a proper SSL handshake and then it works. These options are missing in nova CLI client. How can I use cert_required option with nova? Maybe the option is prepared to be used in other scenarios?