[openstack-dev] [devstack] How to enable SSL in devStack?

Brant Knudson blk at acm.org
Fri Jul 22 15:10:18 UTC 2016


On Wed, Jul 20, 2016 at 12:29 PM, Rob Crittenden <rcritten at redhat.com>
wrote:

> Rob Crittenden wrote:
>
>> Andrey Pavlov wrote:
>>
>>> Hi,
>>>
>>> When I ran devstack with SSL I found a bug and tried to fix it -
>>> https://review.openstack.org/#/c/242812/
>>> But no one agree with me.
>>> Try to apply this patch - it may help.
>>> Also there is a chance that new bugs present in devstack that
>>> prevented to install it with SSL.
>>>
>>
>> Seeing how some other things in your local.conf might help but when I
>> tried to reproduce it I got the same error and it failed because Apache
>> didn't have an SSL listener on 443.
>>
>> I'm not sure I'd recommend direct SSL in any case. I'd recommend the
>> tls-proxy service instead. Note that I'm pretty sure it has the same
>> problem: it hasn't been updated to handle port 443 for Keystone.
>>
>> I'm working on switching from stud to mod_proxy if you want to take a
>> look and this problem is fixed there, https://review.openstack.org/301172
>>
>> I'll see about adding a SSL listener to Keystone for the USE_SSL case in
>> the next few days.
>>
>> And yeah, it's a moving target. I have an experimental gate test for
>> tlsproxy but it has to be requested explicitly. My plan is to enable it
>> as non-voting once the mod_proxy changes land so it will at least be
>> more obvious when things break (or maybe we can making it voting).
>>
>
> Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added.
>
> But I found another, deeper problem: cinder won't listen on SSL. When they
> switched to using oslo_service for WSGI they completely removed the ability
> to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901
>
>
> rob
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

Problems like this should make us wonder why we're reimplementing basic
functionality like TLS termination. Existing wsgi containers (uwsgi,
gunicorn, and apache) all handle TLS termination just fine.

-- 
- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160722/aa3b710d/attachment.html>


More information about the OpenStack-dev mailing list