<div dir="ltr">Finally I was able to solve this issue by deleting wrong certificates form the following path:<div><br></div><div><div class="gmail_extra">rm /var/lib/neutron/keystone-signing/*</div><div class="gmail_extra">
<br></div><div class="gmail_extra">Now I have a complete OpenStack environment running with SSL enabled Keystone but all other components are running on HTTP.</div><div class="gmail_extra"><br></div><div class="gmail_extra">
I am thinking to follow the same approach and use the same certs as used in Keystone.conf to configure all other components like nova, glance, cinder, neutron to SSL by updating the conf, registry, paste files with cert path and ssl_enabled to true. Please suggest if this approach have some flaws.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards,</div><div class="gmail_extra">Devendra</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 8:23 AM, Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Hi Yaguang,<div><br></div><div>I already tried it but still facing the same issue. I added auth_version=2.0 to the keystone_authtoken section on both nova and neutron conf file and then restarted all nova and neutron services. I see exact same error in the logs as mentioned in my previous mail.</div>
<span class=""><font color="#888888">
<div><br></div></font></span><div><span class=""><font color="#888888">Devendra</font></span><div><div class="h5"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 7:39 AM, Yaguang Tang <span dir="ltr"><<a href="mailto:heut2008@gmail.com" target="_blank">heut2008@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Devendra,<br><br></div>Please try add auth_version=2.0 to the keystone_authtoken section on both nova and neutron conf file. there is a bug may affect you.<br>
referred to <a href="https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/" target="_blank">https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/</a><br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-14 22:35 GMT+08:00 Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span>:<div><div>
<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div>Thank you Yaguang. </div><div><br></div><div>Now glance image-list is working fine with adding</div><div><div>"insecure=True" to glance-api.conf and glance-register.conf below</div></div>
<div>keystone_authtoken section. I'll also try the approach suggested by</div>
<div>Rob for adding cafile path.</div><div><br></div><div>I also set "insecure=True" for nova and neutron. Nova is working fine</div><div>with SSL enabled keystone but neutron is still having weird issue. I</div>
<div>am doing Google around it and I see lots of bugs related to the issue</div><div>but nothing is clear if it's a bug or config issue, I am trying some</div><div>workarounds but nothing seems working. When I try to do "neutron</div>
<div>net-list", I can see error as "Authentication required"</div><div><br></div><div>/etc/neutron/server.log shows following lines when net-list command is executed:</div><div><br></div><div>2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting</div>
<div>
<div>new HTTPS connection (1): openstack-centos65</div></div><div>2014-04-15 03:50:35.045 24843 WARNING</div><div>keystoneclient.middleware.auth_token [-] Verify error: Command</div><div>'openssl' returned non-zero exit status 4</div>
<div>2014-04-15 03:50:35.048 24843 WARNING</div><div><div>keystoneclient.middleware.auth_token [-] Authorization failed for</div></div><div>token 19ecd7820e37141d83f5ff7339da6656</div><div>2014-04-15 03:50:35.050 24843 INFO</div>
<div><div>
keystoneclient.middleware.auth_token [-] Invalid user token -</div></div><div>rejecting request</div><div><br></div><div>Neutron net-list --verbose output is attached. Please let me know your inputs.</div><div><br></div>
<div>Regards,</div>
<div>Devendra Gupta</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <span dir="ltr"><<a href="mailto:heut2008@gmail.com" target="_blank">heut2008@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I think you should add insecure=True to glance-api.conf and glance-register.conf below keystone_authtoken section.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-14 12:45 GMT+08:00 Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span>:<div><div>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Ok Yelu, I am trying this, though glance image-list was working fine before configuring keystone to SSL. BTW please also see the SSL error I saw in glance api.log<div>
<br></div><div><div>2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): openstack-centos65</div>
<div>2014-04-14 18:08:37.039 1989 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>
<div>2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): openstack-centos65</div><div>2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>
<div>2014-04-14 18:08:39.069 1989 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token 123aa9518c869b95c2d75ab49f12c139</div><div>2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards,</div><div class="gmail_extra">Devendra<br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 8:38 AM, Yelu <span dir="ltr"><<a href="mailto:yeluaiesec@gmail.com" target="_blank">yeluaiesec@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">you can curl by using your username and password<div>
<br></div><div>--os-username XX --os-password XX<br></div><div><br></div><div>and check your conf here</div><div>are they correct</div><div><img src="cid:ii_1455e34c9166c102" alt="Inline image 1"><br>
</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div><div><div>On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <span dir="ltr"><<a href="mailto:dev29aug@gmail.com" target="_blank">dev29aug@gmail.com</a>></span> wrote:<br>
</div></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div><div>Hi,<br>
<br>
I have configured keystone to SSL and also update the endpoint in<br>
service catalog. Keystone operations like endpoint/tenant list working<br>
fine. I also update glance-api.conf and glance-registry.conf files<br>
with ssl enabled keystone details but still glance is unable to find<br>
images. It fails with following:<br>
<br>
[root@openstack-centos65 glance(keystone_admin)]# glance --insecure image-list<br>
Request returned failure status.<br>
Invalid OpenStack Identity credentials.<br>
<br>
Please see attached keystone.conf, glance-api.conf and<br>
glance-registry.conf and debug output of glance image-list and<br>
endpoint list.<br>
<br>
Regards,<br>
Devendra<br>
<br></div></div></div></div>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div></div></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div dir="ltr"><div>Tang Yaguang</div><div><br></div><div>Canonical Ltd. | <a href="http://www.ubuntu.com" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com" target="_blank">www.canonical.com</a></div>
<div>Mobile: <a href="tel:%2B86%20152%201094%206968" value="+8615210946968" target="_blank">+86 152 1094 6968</a></div><div>gpg key: 0x187F664F</div><div> </div></div>
</font></span></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div></div></div><div><div><br><br clear="all"><br>-- <br><div dir="ltr"><div>Tang Yaguang</div><div><br></div><div>Canonical Ltd. | <a href="http://www.ubuntu.com" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com" target="_blank">www.canonical.com</a></div>
<div>Mobile: <a href="tel:%2B86%20152%201094%206968" value="+8615210946968" target="_blank">+86 152 1094 6968</a></div><div>gpg key: 0x187F664F</div><div> </div></div>
</div></div></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div></div></div>