[Openstack-operators] Nova-compute cannot connect to Keystone/SSL

Björn Hagemeier b.hagemeier at fz-juelich.de
Thu May 29 10:23:00 UTC 2014 

Hi Alvise,

On 29.05.2014 09:07, Alvise Dorigo wrote :
>
> On 28 May 2014, at 19:38, gustavo panizzo <gfa> wrote:
>
>> On 05/28/2014 02:27 PM, Alvise Dorigo wrote:
>>
>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager   File "/usr/lib/python2.6/site-packages/neutronclient/client.py", line 148, in _cs_request
>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager     raise exceptions.SslCertificateValidationError(reason=e)
>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager SslCertificateValidationError: SSL certificate validation has failed: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager
>>
>> is your CA certificate imported, do you 'trust' your nova cert? in
>> debian that would mean add it to /etc/ssl/certs
>>
>
> Hi Gustavo,
> I’ve copied my CA cert.pem in that directory (I’m running on CentOS 6.5), but it doesn’t seem to cure the problem.
> I wonder if I’ve to add some particular parameter in /etc/nova/nova.conf, as I did for glance and other services: cafile, which is not documented.
>
simply copying the certificate there will not be sufficient. You'll need 
to store it under the hashed DN. That's what all the .0 files are there 
for. This short howto may help you achieve this: 
http://ten-fingers-and-a-brain.com/2011/02/add-startssl-to-trusted-ca-store-in-openssl/


Cheers,
Björn

> 	A.
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>


-- 
+---------------------------------+-----------------------------------+
| Björn Hagemeier                 | Telefon:       +49 2461 316 44 66 |
| Urban-Lützeler-Str. 20          | Mobil:         +49  172 978 57 44 |
|                                 | E-Mail:     bjoern at b-hagemeier.de |
|                                 | Homepage:      www.b-hagemeier.de |
| 52428 Jülich-Koslar             | Skype:                 bhagemeier |
+---------------------------------+-----------------------------------+


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140529/0ac649d1/attachment.bin>

More information about the OpenStack-operators mailing list