<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I Matt, thank you for your reply. <br>
I think I've resolved my problem by setting the 'admin_endpoint' and
'public_endpoint' in the DEFAULT section of keystone.conf (they are
not mentioned in the installation guide, but in this thread
<a class="moz-txt-link-freetext" href="https://goo.gl/3JAOHb">https://goo.gl/3JAOHb</a>):<br>
<br>
admin_endpoint = <a class="moz-txt-link-freetext" href="http://controller_mgmt_private_ip:35357">http://controller_mgmt_private_ip:35357</a><br>
public_endpoint = <a class="moz-txt-link-freetext" href="https://public_ip:5000">https://public_ip:5000</a><br>
<br>
and everything is now working.<br>
<br>
Thank you and sorry for the noise,<br>
<br>
Alvise<br>
<br>
<br>
<div class="moz-cite-prefix">On 27/10/2015 21:18, Matt Fischer
wrote:<br>
</div>
<blockquote
cite="mid:CAHr1CO_+qwWxWWGKXgbqot-O+zvbjQwMTUF46tsWSGxTmk-_sw@mail.gmail.com"
type="cite">
<div dir="ltr">What's your output from keystone endpoint-list or
keystone catalog (or the DB table)? Is it possible the admin URL
is simply listed as http?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Oct 27, 2015 at 9:32 PM, Alvise
Dorigo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:alvise.dorigo@pd.infn.it" target="_blank">alvise.dorigo@pd.infn.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I have an
IceHouse OpenStack installation, where the endpoints are
using https as protocol (i.e. in the keystone.endpoint
table the https protocol is specified).<br>
<br>
Now, I want to migrate this installation to Kilo. For this
purpose I followed these steps:<br>
<br>
- I scratched the controller/network node, but the DB was
untouched (it resides on different machines), and
re-installed with CentOS7<br>
- I installed the Juno rpms (without configuring Juno
services)<br>
- I synced the keystone DB to the Juno version using the
usual "db_sync" command:<br>
<br>
su -s /bin/sh -c "keystone-manage db_sync" keystone<br>
<br>
- Then, I scratched the controller/network node,
re-installed again with CentOS7 and installed all the Kilo
RPMs required to sync the DB to the Kilo version.<br>
With all the Kilo's RPM installed, I started from there to
configure the Kilo Keystone service as described in the
official guide <a moz-do-not-send="true"
href="http://docs.openstack.org" rel="noreferrer"
target="_blank">docs.openstack.org</a>.<br>
<br>
That installation configures Keystone exposing v3 API, which
can be used only with the openstackclient (and not by the
legacy keystone one). But it seems there's a problem with
the https endpoints.<br>
<br>
After setting the following env vars<br>
<br>
export OS_PROJECT_DOMAIN_ID=default<br>
export OS_USER_DOMAIN_ID=default<br>
export OS_PROJECT_NAME=admin<br>
export OS_TENANT_NAME=admin<br>
export OS_USERNAME=admin<br>
export OS_PASSWORD=XXXXXXXX<br>
export OS_AUTH_URL=<a moz-do-not-send="true"
href="https://cloud-areapd-test.pd.infn.it:35357/v3"
rel="noreferrer" target="_blank">https://cloud-areapd-test.pd.infn.it:35357/v3</a><br>
export
OS_CACERT=/etc/grid-security/certificates/INFN-CA-2006.pem<br>
<br>
openstack fires out the following error:<br>
<br>
[root@controller-01 ~]# openstack user list<br>
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL
appropriately and may cause certain SSL connections to fail.
For more information, see <a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning"
rel="noreferrer" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning</a>.
<br>
InsecurePlatformWarning<br>
ERROR: openstack Unable to establish connection to <a
moz-do-not-send="true"
href="http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens">http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens</a></a><br>
<br>
<br>
With a deeper investigation I see that the Keystone service
returns an "http" protocol for the endpoint despite the fact
that there's https in the backend database:<br>
<br>
[root@controller-01 ~]# curl -g -i --cacert
"/etc/grid-security/certificates/INFN-CA-2006.pem" -X GET <a
moz-do-not-send="true"
href="https://cloud-areapd-test.pd.infn.it:35357/v3"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://cloud-areapd-test.pd.infn.it:35357/v3">https://cloud-areapd-test.pd.infn.it:35357/v3</a></a>
-H "Accept: application/json" -H "User-Agent:
python-keystoneclient"<br>
HTTP/1.1 200 OK<br>
Vary: X-Auth-Token<br>
Content-Type: application/json<br>
Content-Length: 268<br>
X-Openstack-Request-Id:
req-a47a2873-f81b-490a-b249-7f970754914b<br>
Date: Tue, 27 Oct 2015 10:32:20 GMT<br>
Connection: close<br>
<br>
{"version": {"status": "stable", "updated":
"2015-03-30T00:00:00Z", "media-types": [{"base":
"application/json", "type":
"application/vnd.openstack.identity-v3+json"}], "id":
"v3.4", "links": [{"href": "<a moz-do-not-send="true"
href="http://cloud-areapd-test.pd.infn.it:35357/v3/"
rel="noreferrer" target="_blank">http://cloud-areapd-test.pd.infn.it:35357/v3/</a>",
"rel": "self"}]}}<br>
<br>
The above curl command is grabbed from the output of
"openstack --debug user list".<br>
<br>
If I switch back to v2.0 API in env var OS_AUTH_URL,
keystone client works correctly (and openstack stops
working) and shows me the users, tenants, etc.:<br>
<br>
[root@controller-01 ~]# export OS_AUTH_URL=<a
moz-do-not-send="true"
href="https://cloud-areapd-test.pd.infn.it:35357/v2.0"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://cloud-areapd-test.pd.infn.it:35357/v2.0">https://cloud-areapd-test.pd.infn.it:35357/v2.0</a></a><br>
[root@controller-01 ~]# keystone user-list<br>
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
DeprecationWarning: The keystone CLI is deprecated in favor
of python-openstackclient. For a Python library, continue
using python-keystoneclient.<br>
'python-keystoneclient.', DeprecationWarning)<br>
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL
appropriately and may cause certain SSL connections to fail.
For more information, see <a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning"
rel="noreferrer" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning</a>.
<br>
InsecurePlatformWarning<br>
+----------------------------------+----------+---------+---------------------+
<br>
| id | name | enabled |
email |<br>
+----------------------------------+----------+---------+---------------------+
<br>
| 62e64ee442cc42e7b07c0209010148c3 | admin | True |
ADMIN_EMAIL |<br>
| 96ab92677d43476a820428e281d229f2 | cinder | True | <a
moz-do-not-send="true" href="mailto:cinder@example.co"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:cinder@example.co">cinder@example.co</a></a> |<br>
| e737d7af46ab46838bbef6c5d16aff7e | glance | True | <a
moz-do-not-send="true" href="mailto:glance@example.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:glance@example.com">glance@example.com</a></a> |<br>
| 84546c19c2b242738235022f73b2e9c2 | neutron | True | <a
moz-do-not-send="true" href="mailto:neutron@example.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:neutron@example.com">neutron@example.com</a></a> |<br>
| b99c5365b6c448d4956fdae02fe0ef11 | nova | True | <a
moz-do-not-send="true" href="mailto:nova@example.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nova@example.com">nova@example.com</a></a> |<br>
| 3c2bde47975b4f738b316d87f3727ec3 | sgaravat | True |
|<br>
+----------------------------------+----------+---------+---------------------+
<br>
<br>
<br>
So, the question is: is there a bug in the service code
which forcely translates https to http ?<br>
<br>
thanks,<br>
<br>
Alvise Dorigo<br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-operators@lists.openstack.org"
target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>