<div dir="ltr"><div>Devendra,<br><br></div>Please try add auth_version=2.0 to the keystone_authtoken section on both nova and neutron conf file. there is a bug may affect you.<br>referred to <a href="https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/">https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/</a><br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-14 22:35 GMT+08:00 Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Thank you Yaguang. </div><div><br></div><div>Now glance image-list is working fine with adding</div><div class=""><div>"insecure=True" to glance-api.conf and glance-register.conf below</div></div>
<div>keystone_authtoken section. I'll also try the approach suggested by</div>
<div>Rob for adding cafile path.</div><div><br></div><div>I also set "insecure=True" for nova and neutron. Nova is working fine</div><div>with SSL enabled keystone but neutron is still having weird issue. I</div>
<div>am doing Google around it and I see lots of bugs related to the issue</div><div>but nothing is clear if it's a bug or config issue, I am trying some</div><div>workarounds but nothing seems working. When I try to do "neutron</div>
<div>net-list", I can see error as "Authentication required"</div><div><br></div><div>/etc/neutron/server.log shows following lines when net-list command is executed:</div><div><br></div><div>2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting</div>
<div class="">
<div>new HTTPS connection (1): openstack-centos65</div></div><div>2014-04-15 03:50:35.045 24843 WARNING</div><div>keystoneclient.middleware.auth_token [-] Verify error: Command</div><div>'openssl' returned non-zero exit status 4</div>
<div>2014-04-15 03:50:35.048 24843 WARNING</div><div class=""><div>keystoneclient.middleware.auth_token [-] Authorization failed for</div></div><div>token 19ecd7820e37141d83f5ff7339da6656</div><div>2014-04-15 03:50:35.050 24843 INFO</div>
<div class=""><div>
keystoneclient.middleware.auth_token [-] Invalid user token -</div></div><div>rejecting request</div><div><br></div><div>Neutron net-list --verbose output is attached. Please let me know your inputs.</div><div><br></div>
<div>Regards,</div>
<div>Devendra Gupta</div><div><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <span dir="ltr"><<a href="mailto:heut2008@gmail.com" target="_blank">heut2008@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I think you should add insecure=True to glance-api.conf and glance-register.conf below keystone_authtoken section.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-14 12:45 GMT+08:00 Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span>:<div><div>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Ok Yelu, I am trying this, though glance image-list was working fine before configuring keystone to SSL. BTW please also see the SSL error I saw in glance api.log<div>
<br></div><div><div>2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): openstack-centos65</div>
<div>2014-04-14 18:08:37.039 1989 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>
<div>2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): openstack-centos65</div><div>2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>
<div>2014-04-14 18:08:39.069 1989 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token 123aa9518c869b95c2d75ab49f12c139</div><div>2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards,</div><div class="gmail_extra">Devendra<br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 8:38 AM, Yelu <span dir="ltr"><<a href="mailto:yeluaiesec@gmail.com" target="_blank">yeluaiesec@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">you can curl by using your username and password<div>
<br></div><div>--os-username XX --os-password XX<br></div><div><br></div><div>and check your conf here</div><div>are they correct</div><div><img src="cid:ii_1455e34c9166c102" alt="Inline image 1"><br>
</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div><div><div>On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span> wrote:<br>
</div></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div><div>Hi,<br>
<br>
I have configured keystone to SSL and also update the endpoint in<br>
service catalog. Keystone operations like endpoint/tenant list working<br>
fine. I also update glance-api.conf and glance-registry.conf files<br>
with ssl enabled keystone details but still glance is unable to find<br>
images. It fails with following:<br>
<br>
[root@openstack-centos65 glance(keystone_admin)]# glance --insecure image-list<br>
Request returned failure status.<br>
Invalid OpenStack Identity credentials.<br>
<br>
Please see attached keystone.conf, glance-api.conf and<br>
glance-registry.conf and debug output of glance image-list and<br>
endpoint list.<br>
<br>
Regards,<br>
Devendra<br>
<br></div></div></div></div>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div></div></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div dir="ltr"><div>Tang Yaguang</div><div><br></div><div>Canonical Ltd. | <a href="http://www.ubuntu.com" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com" target="_blank">www.canonical.com</a></div>
<div>Mobile: <a href="tel:%2B86%20152%201094%206968" value="+8615210946968" target="_blank">+86 152 1094 6968</a></div><div>gpg key: 0x187F664F</div><div> </div></div>
</font></span></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr"><div>Tang Yaguang</div><div><br></div><div>Canonical Ltd. | <a href="http://www.ubuntu.com" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com" target="_blank">www.canonical.com</a></div>
<div>Mobile: +86 152 1094 6968</div><div>gpg key: 0x187F664F</div><div> </div></div>
</div>