Open Stack

We had this issue.  OS_CAcert doesn't do what you think it does.  If I remember correctly its for client certs or something of the like.  For us - we had to include the bundle of signing CA into the cert file. Our ssl config is like:

ca_certs=/path/to/your-ca-ssl-bundle.crt
certfile=/path/to/sslcert-withbundle-appeneded-to-the-end.crt
keystfile=/path/to/privatekeyforcert.key
cert_subject=
ca_key=

The your-ca-ssl-bundle.crt should come from your ssl cert provider and you should be able to find it publicly available.
You can create a bundle via: https://support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files
____________________________________________

Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.

From: Gui Maluf <guimalufb at gmail.com<mailto:guimalufb at gmail.com>>
Date: Tuesday, February 10, 2015 at 4:40 PM
To: "Kris G. Lindgren" <klindgren at godaddy.com<mailto:klindgren at godaddy.com>>
Cc: "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL

Something wrong with my certificates and Keystone, cause changing to self-signed certificates everything is working.

On Tue, Feb 10, 2015 at 8:52 PM, Gui Maluf <guimalufb at gmail.com<mailto:guimalufb at gmail.com>> wrote:
http://paste.openstack.org/show/171017/

On Tue, Feb 10, 2015 at 8:33 PM, Kris G. Lindgren <klindgren at godaddy.com<mailto:klindgren at godaddy.com>> wrote:
Can you post your haproxy config file?
____________________________________________

Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.


From: Gui Maluf <guimalufb at gmail.com<mailto:guimalufb at gmail.com>>
Date: Tuesday, February 10, 2015 at 3:25 PM
To: "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: [Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL

hey guy,
my production environment is down for two days and I can't fixit.

I had 3 keystone+swiftproxy nodes, balanced with DNS-RR and endpoints pointing to DNS; keystone running on 5000/35357 and swift on 443, both with self-signed certificate and native ssl;

Then I've changed the swiftproxy to run on port 8080, disable the native SSL, set up HAProxy(real LB with healthcheck and SSL passthrough) redirecting tcp connections to keystone/swiftproxy nodes and changed keystone endpoints pointing to HAProxy hostname with specific ports.

What is happening now: Using curl I can access keystone api with -k and passing --cacert, but with keystoneclient, even with OS_CACERT, I can't run any command without the --insecure flag

Authorization Failed: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https

Swift just don't work neither through API or swiftclient.

Someone could help me please?
What else should I do to change swift-proxy port and to have a HAProxy pointing to that.?


thanks

--
guilherme \n
\t maluf



--
guilherme \n
\t maluf



--
guilherme \n
\t maluf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150211/ab6e88de/attachment.html>