[Openstack] issue when I using PKI for token format
Adam Young
ayoung at redhat.com
Thu Mar 6 03:55:50 UTC 2014
On 03/05/2014 08:59 PM, Li, Chen wrote:
>
> Hi,
>
> I'm working under CentOS 6.4 + Havana, my keystone version is:
> openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana
>
> When I run command "keystone user-list", I get error:
> Authorization Failed: Unable to sign token. (HTTP 500)
>
> I can get error information in both "keystone-startup.log" and
> "keystone.log":
>
Did you run keystone-manage pki_setup? Problem is something with your
certificates.
> 2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing
> error: Unable to load certificate - ensure you've configured PKI with
> 'keystone-manage pki_setup'
> 2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-]
> Unable to sign token
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
> Traceback (most recent call last):
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File
> "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py",
> line 39, in _get_token_id
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
> CONF.signing.keyfile)
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File
> "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144,
> in cms_sign_token
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
> output = cms_sign_text(text, signing_cert_file_name,
> signing_key_file_name)
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File
> "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139,
> in cms_sign_text
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise
> environment.subprocess.CalledProcessError(retcode, "openssl")
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
> CalledProcessError: Command 'openssl' returned non-zero exit status 3
> 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
> 2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable
> to sign token.
> ~
>
> Anyone know why this happened ???
>
> Thanks.
> -chen
>
> My /etc/keystone/keystone.conf :
>
> [DEFAULT]
>
> [sql]
> connection = mysql://keystone:keystone@host-db/keystone
>
> [identity]
>
> [credential]
>
> [trust]
>
> [os_inherit]
>
> [catalog]
> driver = keystone.catalog.backends.sql.Catalog
>
> [endpoint_filter]
>
> [token]
> driver = keystone.token.backends.memcache.Token
>
> [cache]
>
> [policy]
>
> [ec2]
>
> [assignment]
>
> [oauth1]
>
> [ssl]
>
> [signing]
>
> [ldap]
>
> [auth]
> methods = external,password,token,oauth1
> password = keystone.auth.plugins.password.Password
> token = keystone.auth.plugins.token.Token
> oauth1 = keystone.auth.plugins.oauth1.OAuth
>
> [paste_deploy]
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140305/54ab39dc/attachment.html>
More information about the Openstack
mailing list