<div dir="ltr"><div><div>Hi <br></div>I am trying to setup ssl enabled keystone using external CA<br><br></div>my keystone.conf settings regarding ssl are<br><div><br>[signing]<br><br>certfile=/etc/grid-security/cert.pem<br><br>keyfile=/etc/grid-security/key.pem<br><br>ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem<br><br>key_size=2048<br><br>cert_subject=< DN of cert><br><br><br>[ssl]<br><br>enable=True<br><br>certfile=/etc/grid-security/cert.pem<br><br>keyfile=/etc/grid-security/key.pem<br><br>ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem<br><br>cert_subject=<DN of Cert><br><br><br></div><div>I commented out "ca_key" parameter which I think not needed for external ca certificate .<br><br></div><div>I can query keystone on https endpoint with --insecure option but without --insecure option, it is failing with this error<br><br>INFO:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.31.1<br>SSL exception connecting to <a href="https://192.168.31.1:35357/v2.0/users" target="_blank">https://192.168.31.1:35357/v2.0/users</a><br><br> I alsto tried with --os_cacert option.<br><br></div><div>I am using openstack icehouse.<br></div><div><br><br></div><div>Can some one help me in troubleshooting this problem ?<br><br></div>Regards<div class=""><div id=":1bo" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif">Kashif</div></div></div>