[openstack-dev] [Nova] understanding SSL behavior

Rahul Sharma rahulsharmaait at gmail.com
Mon Sep 7 08:26:07 UTC 2015


Hi All,

I am trying to configure the endpoints to communicate over https. I am
trying to debug a particular behavior of code but unable to relate my
sequence of actions with the behavior of code. Kindly do guide me to
understand the below mentioned scenario.

For SSL, I have generated a self-signed CA cert and used it for signing CSR
request of host/controller. I placed the CA cert in the trusted-root
authority of my host and all the services work fine. They are able to talk
with each other over https. I was able to access the url
https://<controller>:8774
from anywhere.

I went ahead and modified the nova.conf and added ssl_ca_file in [DEFAULT]
section.
[DEFAULT]
.......
ssl_ca_file=<path-to-ca-file>
ssl_cert_file=<path-to-cert-file>
ssl_key_file=<path-to-key-file>
.......

Nova services come up fine, but now I am unable to access the url
https://<controller>:8774.
If I again remove the ssl_ca_file from nova.conf, it again starts working
fine.

Looking at the code, I could see that its getting used in nova/wsgi.py.

if CONF.ssl_ca_file:
    ssl_kwargs['ca_certs'] = ca_file
    ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED

I am missing some very basic thing here, can someone please help me to
understand the sequence of steps going on and what do I need to do to
communicate with the service. The service is running and listening on port
8774, but it looks like I might have to provide something else with the
request to communicate with the service. Since various other services would
be communicating with nova, do I need to configure some specific parameter
in those services? Any pointers would be really helpful.

Thanks.

*Rahul Sharma*
*MS in Computer Science, 2016*
College of Computer and Information Science, Northeastern University
Mobile:  801-706-7860
Email: rahulsharmaait at gmail.com
Linkedin: www.linkedin.com/in/rahulsharmaait
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150907/82864a50/attachment-0001.html>


More information about the OpenStack-dev mailing list