[Openstack-operators] How to configure keystone to use SSL

Leslie-Alexandre DENIS contact at ladenis.fr
Thu Sep 22 13:46:04 UTC 2016 

Hints to start with:

* https://mozilla.github.io/server-side-tls/ssl-config-generator/
* https://www.ssllabs.com/ssltest/
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

You definitely need to setup the WSGI as, yes, the eventlet is 
deprecated. Enjoy your TLS setup :)

Bye.

On 22/09/2016 15:16, Mohammed Naser wrote:
> I'm fairly sure the parameters under [ssl] are only for using the
> deprecated eventlet server.  You'll need to add your SSL configuration
> to the Apache VirtualHost in order to be able to get access to SSL
> 
> Good luck!
> 
> On Wed, Sep 21, 2016 at 11:14 PM, zhangjian
> <zhangjian2011 at cn.fujitsu.com> wrote:
>> Hi, all
>> 
>> 
>> I have a mitaka environment created by packstack, and i tried to 
>> configure
>> the keystone to use ssl, but failed, can anyone help me?
>> # keystone is a wsgi service now.
>> 
>> 
>> Configure steps are as following:
>> ===============
>> # keystone-manage ssl_setup --keystone-user keystone --keystone-group
>> keystone
>> # chown -R keystone:keystone /etc/keystone/ssl
>> # keystone endpoint-create --service keystone --region RegionOne 
>> --publicurl
>> https://{FQDN}:5000/v2.0 --internalurl https://{FQDN}:5000/v2.0 
>> --adminurl
>> https://{FQDN}:35357/v2.0
>> # cat /etc/keystone/keystone.conf
>>   ... ...
>>   [ssl]
>>   enable=True
>>   certfile = /etc/keystone/ssl/certs/keystone.pem
>>   keyfile = /etc/keystone/ssl/private/keystonekey.pem
>>   ca_certs = /etc/keystone/ssl/certs/ca.pem
>>   ca_key = /etc/keystone/ssl/private/cakey.pem
>> 
>> # cat keystonerc_admin
>> ... ...
>> export OS_AUTH_URL=https://FQDN:5000/v2.0
>> 
>> 
>> # keystone endpoint-delete Old_Endpoint_For_Keystone
>> Unable to delete endpoint.
>> 
>> 
>> # systemctl restart httpd
>> # source keystonerc_admin
>> 
>> # openstack project list
>> Discovering versions from the identity service failed when creating 
>> the
>> password plugin. Attempting to determine version from URL.
>> SSL exception connecting to https://FQDN:5000/v2.0/tokens: [SSL:
>> UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)
>> ===============
>> 
>> Regards,
>> Kenn
>> 
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> 
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list