<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Bjorn<br>
thanks for suggestion. It still doesn't work, but I've found the
reason.<br>
First of all, I do not need the end-user communicates with the
services glance/nova/neutron/cinder with SSL; I just need the
services themselves listen on plain HTTP. What I need is that the
services can talk to Keystone/SSL (so SSL ativated only for the
Keystone component).<br>
What it was missing, was the parameter:<br>
<br>
neutron_ca_certificates_file =
/etc/grid-security/certificates/INFN-CA-2006.pem<br>
<br>
Cheers,<br>
<br>
A.<br>
<br>
<div class="moz-cite-prefix">On 05/29/2014 12:23 PM, Björn Hagemeier
wrote:<br>
</div>
<blockquote cite="mid:53870A84.4050909@fz-juelich.de" type="cite">Hi
Alvise,
<br>
<br>
On 29.05.2014 09:07, Alvise Dorigo wrote :
<br>
<blockquote type="cite">
<br>
On 28 May 2014, at 19:38, gustavo panizzo <gfa> wrote:
<br>
<br>
<blockquote type="cite">On 05/28/2014 02:27 PM, Alvise Dorigo
wrote:
<br>
<br>
<blockquote type="cite">2014-05-28 19:24:35.696 10673 TRACE
nova.compute.manager File
"/usr/lib/python2.6/site-packages/neutronclient/client.py",
line 148, in _cs_request
<br>
2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager
raise exceptions.SslCertificateValidationError(reason=e)
<br>
2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager
SslCertificateValidationError: SSL certificate validation
has failed: [Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
<br>
2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager
<br>
</blockquote>
<br>
is your CA certificate imported, do you 'trust' your nova
cert? in
<br>
debian that would mean add it to /etc/ssl/certs
<br>
<br>
</blockquote>
<br>
Hi Gustavo,
<br>
I’ve copied my CA cert.pem in that directory (I’m running on
CentOS 6.5), but it doesn’t seem to cure the problem.
<br>
I wonder if I’ve to add some particular parameter in
/etc/nova/nova.conf, as I did for glance and other services:
cafile, which is not documented.
<br>
<br>
</blockquote>
simply copying the certificate there will not be sufficient.
You'll need to store it under the hashed DN. That's what all the
.0 files are there for. This short howto may help you achieve
this:
<a class="moz-txt-link-freetext" href="http://ten-fingers-and-a-brain.com/2011/02/add-startssl-to-trusted-ca-store-in-openssl/">http://ten-fingers-and-a-brain.com/2011/02/add-startssl-to-trusted-ca-store-in-openssl/</a><br>
<br>
<br>
Cheers,
<br>
Björn
<br>
<br>
<blockquote type="cite"> A.
<br>
_______________________________________________
<br>
OpenStack-operators mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
<br>
<br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</blockquote>
<br>
</body>
</html>