[openstack-dev] Nova SSL Apache2 Question

Jesse Pretorius jesse.pretorius at gmail.com
Thu Nov 14 08:42:51 UTC 2013

On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <
mark.m.miller at hp.com> wrote:

> I finally found a set of web pages that has a working set of configuration
> files for the major OpenStack services "
> http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/" by Andy Mc. I skipped ceilometer and have the rest of the services
> working except quantum with self-signed certificates on a Grizzly-3
> OpenStack instance. Now I am stuck trying to figure out how to get quantum
> to accept self-signed certificates.
> My goal is to harden my Grizzly-3 OpenStack instance using SSL and
> self-signed certificates. Later I will do the same for Havana bits and use
> real/valid certificates.
I struggled with getting this all to work correctly for a few weeks, then
eventually gave up and opted instead to use an Apache reverse proxy to
front-end the native services. I just found that using an Apache/wsgi
configuration doesn't completely work. It would certainly help if this
configuration was implemented into the Openstack testing regime to help all
the services become first-class citizens as a wsgi process behind Apache.

I would suggest that you review the wsgi files and vhost templates in the
rcbops chef cookbooks for each service. They include my updates to Andy's
original blog items to make things work properly.

I found that while Andy's stuff appears to work, it becomes noticeable that
it works in a read-only fashion. I managed to get keystone/nova confirmed
to work properly, but glance just would not work - I could never upload any
images and if caching/management was turned off in the glance service then
downloading images didn't work either.

Good luck - if you do get a fully working config it'd be great to get
feedback on the adjustments you had to make to get it working.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131114/1cd69894/attachment.html>

More information about the OpenStack-dev mailing list