<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>We had this issue. OS_CAcert doesn't do what you think it does. If I remember correctly its for client certs or something of the like. For us - we had to include the bundle of signing CA into the cert file. Our ssl config is like:</div>
<div><br>
</div>
<div>ca_certs=/path/to/your-ca-ssl-bundle.crt </div>
<div>certfile=/path/to/sslcert-withbundle-appeneded-to-the-end.crt</div>
<div>keystfile=/path/to/privatekeyforcert.key</div>
<div>cert_subject=</div>
<div>ca_key=</div>
<div><br>
</div>
<div>The your-ca-ssl-bundle.crt should come from your ssl cert provider and you should be able to find it publicly available.</div>
<div>You can create a bundle via: https://support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files</div>
<div>
<div>
<div>____________________________________________</div>
<div> </div>
<div>Kris Lindgren</div>
<div>Senior Linux Systems Engineer</div>
<div>GoDaddy, LLC.</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Gui Maluf <<a href="mailto:guimalufb@gmail.com">guimalufb@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, February 10, 2015 at 4:40 PM<br>
<span style="font-weight:bold">To: </span>"Kris G. Lindgren" <<a href="mailto:klindgren@godaddy.com">klindgren@godaddy.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>" <<a href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Something wrong with my certificates and Keystone, cause changing to self-signed certificates everything is working.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 10, 2015 at 8:52 PM, Gui Maluf <span dir="ltr">
<<a href="mailto:guimalufb@gmail.com" target="_blank">guimalufb@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><a href="http://paste.openstack.org/show/171017/" target="_blank">http://paste.openstack.org/show/171017/</a><br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 10, 2015 at 8:33 PM, Kris G. Lindgren <span dir="ltr">
<<a href="mailto:klindgren@godaddy.com" target="_blank">klindgren@godaddy.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>Can you post your haproxy config file?</div>
<div>
<div>
<div>____________________________________________</div>
<div> </div>
<div>Kris Lindgren</div>
<div>Senior Linux Systems Engineer</div>
<div>GoDaddy, LLC.</div>
</div>
<div><br>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Gui Maluf <<a href="mailto:guimalufb@gmail.com" target="_blank">guimalufb@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, February 10, 2015 at 3:25 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:openstack-operators@lists.openstack.org" target="_blank">openstack-operators@lists.openstack.org</a>" <<a href="mailto:openstack-operators@lists.openstack.org" target="_blank">openstack-operators@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>[Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL<br>
</div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div>
<div>hey guy, <br>
my production environment is down for two days and I can't fixit.<br>
<br>
I had 3 keystone+swiftproxy nodes, balanced with DNS-RR and endpoints pointing to DNS; keystone running on 5000/35357 and swift on 443, both with self-signed certificate and native ssl;<br>
<br>
Then I've changed the swiftproxy to run on port 8080, disable the native SSL, set up HAProxy(real LB with healthcheck and SSL passthrough) redirecting tcp connections to keystone/swiftproxy nodes and changed keystone endpoints pointing to HAProxy hostname with
specific ports. <br>
<br>
What is happening now: Using curl I can access keystone api with -k and passing --cacert, but with keystoneclient, even with OS_CACERT, I can't run any command without the --insecure flag<br>
<span style="font-family: monospace, monospace;"><br>
Authorization Failed: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https</span><br>
<br>
Swift just don't work neither through API or swiftclient. <br>
<br>
Someone could help me please? <br>
</div>
What else should I do to change swift-proxy port and to have a HAProxy pointing to that.?<br>
<br>
<br>
</div>
thanks<br clear="all">
<div>
<div><br>
-- <br>
<div><font face="Arial,Helvetica,sans-serif"><b>guilherme</b> \n<br>
\<font>t</font> <b>maluf</b><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div><font face="Arial,Helvetica,sans-serif"><b>guilherme</b> \n<br>
\<font>t</font> <b>maluf</b><br>
</font></div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature"><font face="Arial,Helvetica,sans-serif"><b>guilherme</b> \n<br>
\<font>t</font> <b>maluf</b><br>
</font></div>
</div>
</div>
</div>
</span>
</body>
</html>