<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    I Matt, thank you for your reply. <br>
    I think I've resolved my problem by setting the 'admin_endpoint' and
    'public_endpoint' in the DEFAULT section of keystone.conf (they are
    not mentioned in the installation guide, but in this thread
    <a class="moz-txt-link-freetext" href="https://goo.gl/3JAOHb">https://goo.gl/3JAOHb</a>):<br>
    <br>
    admin_endpoint = <a class="moz-txt-link-freetext" href="http://controller_mgmt_private_ip:35357">http://controller_mgmt_private_ip:35357</a><br>
    public_endpoint = <a class="moz-txt-link-freetext" href="https://public_ip:5000">https://public_ip:5000</a><br>
    <br>
    and everything is now working.<br>
    <br>
    Thank you and sorry for the noise,<br>
    <br>
        Alvise<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 27/10/2015 21:18, Matt Fischer
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHr1CO_+qwWxWWGKXgbqot-O+zvbjQwMTUF46tsWSGxTmk-_sw@mail.gmail.com"
      type="cite">
      <div dir="ltr">What's your output from keystone endpoint-list or
        keystone catalog (or the DB table)? Is it possible the admin URL
        is simply listed as http?</div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Oct 27, 2015 at 9:32 PM, Alvise
          Dorigo <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:alvise.dorigo@pd.infn.it" target="_blank">alvise.dorigo@pd.infn.it</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">I have an
            IceHouse OpenStack installation, where the endpoints are
            using https as protocol (i.e. in the keystone.endpoint
            table  the https protocol is specified).<br>
            <br>
            Now, I want to migrate this installation to Kilo. For this
            purpose I followed these steps:<br>
            <br>
            - I scratched the controller/network node, but the DB was
            untouched (it resides on different machines), and
            re-installed with CentOS7<br>
            - I installed the Juno rpms (without configuring Juno
            services)<br>
            - I synced the keystone DB to the Juno version using the
            usual "db_sync" command:<br>
            <br>
                su -s /bin/sh -c "keystone-manage db_sync" keystone<br>
            <br>
            - Then, I scratched the controller/network node,
            re-installed again with CentOS7 and installed all the Kilo
            RPMs required to sync the DB to the Kilo version.<br>
            With all the Kilo's RPM installed, I started from there to
            configure the Kilo Keystone service as described in the
            official guide <a moz-do-not-send="true"
              href="http://docs.openstack.org" rel="noreferrer"
              target="_blank">docs.openstack.org</a>.<br>
            <br>
            That installation configures Keystone exposing v3 API, which
            can be used only with the openstackclient (and not by the
            legacy keystone one). But it seems there's a problem with
            the https endpoints.<br>
            <br>
            After setting the following env vars<br>
            <br>
            export OS_PROJECT_DOMAIN_ID=default<br>
            export OS_USER_DOMAIN_ID=default<br>
            export OS_PROJECT_NAME=admin<br>
            export OS_TENANT_NAME=admin<br>
            export OS_USERNAME=admin<br>
            export OS_PASSWORD=XXXXXXXX<br>
            export OS_AUTH_URL=<a moz-do-not-send="true"
              href="https://cloud-areapd-test.pd.infn.it:35357/v3"
              rel="noreferrer" target="_blank">https://cloud-areapd-test.pd.infn.it:35357/v3</a><br>
            export
            OS_CACERT=/etc/grid-security/certificates/INFN-CA-2006.pem<br>
            <br>
            openstack fires out the following error:<br>
            <br>
            [root@controller-01 ~]# openstack user list<br>
            /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
            InsecurePlatformWarning: A true SSLContext object is not
            available. This prevents urllib3 from configuring SSL
            appropriately and may cause certain SSL connections to fail.
            For more information, see <a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning"
              rel="noreferrer" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning</a>.
            <br>
              InsecurePlatformWarning<br>
            ERROR: openstack Unable to establish connection to <a
              moz-do-not-send="true"
              href="http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens"
              rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens">http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens</a></a><br>
            <br>
            <br>
            With a deeper investigation I see that the Keystone service
            returns an "http" protocol for the endpoint despite the fact
            that there's https in the backend database:<br>
            <br>
            [root@controller-01 ~]# curl -g -i --cacert
            "/etc/grid-security/certificates/INFN-CA-2006.pem" -X GET <a
              moz-do-not-send="true"
              href="https://cloud-areapd-test.pd.infn.it:35357/v3"
              rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://cloud-areapd-test.pd.infn.it:35357/v3">https://cloud-areapd-test.pd.infn.it:35357/v3</a></a>
            -H "Accept: application/json" -H "User-Agent:
            python-keystoneclient"<br>
            HTTP/1.1 200 OK<br>
            Vary: X-Auth-Token<br>
            Content-Type: application/json<br>
            Content-Length: 268<br>
            X-Openstack-Request-Id:
            req-a47a2873-f81b-490a-b249-7f970754914b<br>
            Date: Tue, 27 Oct 2015 10:32:20 GMT<br>
            Connection: close<br>
            <br>
            {"version": {"status": "stable", "updated":
            "2015-03-30T00:00:00Z", "media-types": [{"base":
            "application/json", "type":
            "application/vnd.openstack.identity-v3+json"}], "id":
            "v3.4", "links": [{"href": "<a moz-do-not-send="true"
              href="http://cloud-areapd-test.pd.infn.it:35357/v3/"
              rel="noreferrer" target="_blank">http://cloud-areapd-test.pd.infn.it:35357/v3/</a>",
            "rel": "self"}]}}<br>
            <br>
            The above curl command is grabbed from the output of
            "openstack --debug user list".<br>
            <br>
            If I switch back to v2.0 API in env var OS_AUTH_URL,
            keystone client works correctly (and openstack stops
            working) and shows me the users, tenants, etc.:<br>
            <br>
            [root@controller-01 ~]# export OS_AUTH_URL=<a
              moz-do-not-send="true"
              href="https://cloud-areapd-test.pd.infn.it:35357/v2.0"
              rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://cloud-areapd-test.pd.infn.it:35357/v2.0">https://cloud-areapd-test.pd.infn.it:35357/v2.0</a></a><br>
            [root@controller-01 ~]# keystone user-list<br>
            /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
            DeprecationWarning: The keystone CLI is deprecated in favor
            of python-openstackclient. For a Python library, continue
            using python-keystoneclient.<br>
              'python-keystoneclient.', DeprecationWarning)<br>
            /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
            InsecurePlatformWarning: A true SSLContext object is not
            available. This prevents urllib3 from configuring SSL
            appropriately and may cause certain SSL connections to fail.
            For more information, see <a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning"
              rel="noreferrer" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning</a>.
            <br>
              InsecurePlatformWarning<br>
            +----------------------------------+----------+---------+---------------------+
            <br>
            |                id                |   name   | enabled |
            email        |<br>
            +----------------------------------+----------+---------+---------------------+
            <br>
            | 62e64ee442cc42e7b07c0209010148c3 |  admin   |   True  |
            ADMIN_EMAIL     |<br>
            | 96ab92677d43476a820428e281d229f2 |  cinder  |   True  | <a
              moz-do-not-send="true" href="mailto:cinder@example.co"
              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:cinder@example.co">cinder@example.co</a></a> |<br>
            | e737d7af46ab46838bbef6c5d16aff7e |  glance  |   True  | <a
              moz-do-not-send="true" href="mailto:glance@example.com"
              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:glance@example.com">glance@example.com</a></a> |<br>
            | 84546c19c2b242738235022f73b2e9c2 | neutron  |   True  | <a
              moz-do-not-send="true" href="mailto:neutron@example.com"
              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:neutron@example.com">neutron@example.com</a></a> |<br>
            | b99c5365b6c448d4956fdae02fe0ef11 |   nova   |   True  | <a
              moz-do-not-send="true" href="mailto:nova@example.com"
              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nova@example.com">nova@example.com</a></a> |<br>
            | 3c2bde47975b4f738b316d87f3727ec3 | sgaravat |   True |   
                             |<br>
            +----------------------------------+----------+---------+---------------------+
            <br>
            <br>
            <br>
            So, the question is: is there a bug in the service code
            which forcely translates https to http ?<br>
            <br>
            thanks,<br>
            <br>
                Alvise Dorigo<br>
            <br>
            _______________________________________________<br>
            OpenStack-operators mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OpenStack-operators@lists.openstack.org"
              target="_blank">OpenStack-operators@lists.openstack.org</a><br>
            <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators"
              rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>