Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

keystone-admin-vip/1: SSL handshake failure

Hi,

I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    +----------------------------------+------------+---------+--------------------+
    |                id                |    name    | enabled |       email        |
    +----------------------------------+------------+---------+--------------------+
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | keystone@example.com |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | keystone@example.com |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | keystone@example.com |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | keystone@example.com |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | keystone@example.com |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | keystone@example.com |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | keystone@example.com |
    +----------------------------------+------------+---------+--------------------+
    == Glance images ==
    Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k https://my-ost-rhel7.example.com:35357/v2.0 ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://my-ost-rhel7.example.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?

keystone-admin-vip/1: SSL handshake failure

Hi,

I am having a heck of a time trouble shooting a problem I am having with my glance and cinder services on my controller nodes.

When I execute ...

# source openrc
# openstack-status

... I get this output ...

    == Glance services ==
    openstack-glance-api:                   active
    openstack-glance-registry:              active
    == Keystone service ==
    openstack-keystone:                     active    (disabled on boot)
    == neutron services ==
    neutron-server:                         inactive  (disabled on boot)
    neutron-dhcp-agent:                     inactive  (disabled on boot)
    neutron-l3-agent:                       inactive  (disabled on boot)
    neutron-metadata-agent:                 inactive  (disabled on boot)
    neutron-lbaas-agent:                    inactive  (disabled on boot)
    == Cinder services ==
    openstack-cinder-api:                   active
    openstack-cinder-scheduler:             active
    openstack-cinder-volume:                active
    openstack-cinder-backup:                active
    == Support services ==
    mysqld:                                 inactive  (disabled on boot)
    dbus:                                   active
    target:                                 inactive  (disabled on boot)
    memcached:                              active
    == Keystone users ==
    +----------------------------------+------------+---------+--------------------+
    |                id                |    name    | enabled |       email        |
    +----------------------------------+------------+---------+--------------------+
    | bx055dx4eb3640x38cx667c6eef82e8d |   admin    |   True  | keystone@example.com |
    | x7e6f0981e8b4431x74149e0421c3c5e | ceilometer |   True  | keystone@example.com |
    | c519fed3cd1443a18de0b006eab4xb7e |   cinder   |   True  | keystone@example.com |
    | 4bxd6c54cfe849148e8c1614415x664d |   glance   |   True  | keystone@example.com |
    | 2dx96c5164074d99916b59b7b6be9658 |    heat    |   True  | keystone@example.com |
    | 265d50582fdc4x5ex4160040f1e598ab |  neutron   |   True  | keystone@example.com |
    | 4ccb96df211141d795207eexe78fe55b |    nova    |   True  | keystone@example.com |
    +----------------------------------+------------+---------+--------------------+
    == Glance images ==
    Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens

... and on my haproxy server's /var/log/messages I see this ...

... keystone-admin-vip/1: SSL handshake failure

Also, I have noted the http in the response Unable to establish connection to http://my-ost-rhel7.example.com:35357/v2.0/tokens but I have throughly checked my config files on the haproxy and on the controller nodes and we are using https anywhere a protocol is asked for. But who knows maybe I missed one.

I have even done this ...

# curl -k https://my-ost-rhel7.example.com:35357/v2.0 ; echo
{"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://my-ost-rhel7.example.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

... note the links bit of the json comes back with http and not https.

Does anyone know what would cause the keystone-admin-vip/1: SSL handshake failure error? I have googled and asked co-workers and nobody knows what is causing this?

Update:

Here's the output (shortened for readability) keystone endpoint-list:

----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
                     publicurl                      |                     internalurl                     |                       adminurl                      |            
----------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------+
         https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292         |          https://my-ost-rhel7.example.com:9292
         https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777         |          https://my-ost-rhel7.example.com:8777
 http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s |  http://my-ost-rhel7.example.com:8004/v1/%(tenant_id)s
    https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1    |     https://my-ost-cloud-rhel7.example.com/swift/v1
https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s | https://my-ost-rhel7.example.com:8774/v2/$(tenant_id)s
      https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:5000/v2.0       |       https://my-ost-rhel7.example.com:35357/v2.0
         https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696         |          https://my-ost-rhel7.example.com:9696
https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s | https://my-ost-rhel7.example.com:8776/v1/$(tenant_id)s