Open Stack

Rob Crittenden wrote:
> Andrey Pavlov wrote:
>> Hi,
>>
>> When I ran devstack with SSL I found a bug and tried to fix it -
>> https://review.openstack.org/#/c/242812/
>> But no one agree with me.
>> Try to apply this patch - it may help.
>> Also there is a chance that new bugs present in devstack that
>> prevented to install it with SSL.
>
> Seeing how some other things in your local.conf might help but when I
> tried to reproduce it I got the same error and it failed because Apache
> didn't have an SSL listener on 443.
>
> I'm not sure I'd recommend direct SSL in any case. I'd recommend the
> tls-proxy service instead. Note that I'm pretty sure it has the same
> problem: it hasn't been updated to handle port 443 for Keystone.
>
> I'm working on switching from stud to mod_proxy if you want to take a
> look and this problem is fixed there, https://review.openstack.org/301172
>
> I'll see about adding a SSL listener to Keystone for the USE_SSL case in
> the next few days.
>
> And yeah, it's a moving target. I have an experimental gate test for
> tlsproxy but it has to be requested explicitly. My plan is to enable it
> as non-voting once the mod_proxy changes land so it will at least be
> more obvious when things break (or maybe we can making it voting).

Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added.

But I found another, deeper problem: cinder won't listen on SSL. When 
they switched to using oslo_service for WSGI they completely removed the 
ability to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901

rob