[Openstack-operators] Nova-compute cannot connect to Keystone/SSL

Alvise Dorigo alvise.dorigo at pd.infn.it
Fri May 30 06:59:17 UTC 2014 

Hi Bjorn
thanks for suggestion. It still doesn't work, but I've found the reason.
First of all, I do not need the end-user communicates with the services 
glance/nova/neutron/cinder with SSL; I just need the services themselves 
listen on plain HTTP. What I need is that the services  can talk to 
Keystone/SSL (so SSL ativated only for the Keystone component).
What it was missing, was the parameter:

neutron_ca_certificates_file = 
/etc/grid-security/certificates/INFN-CA-2006.pem

Cheers,

     A.

On 05/29/2014 12:23 PM, Björn Hagemeier wrote:
> Hi Alvise,
>
> On 29.05.2014 09:07, Alvise Dorigo wrote :
>>
>> On 28 May 2014, at 19:38, gustavo panizzo <gfa> wrote:
>>
>>> On 05/28/2014 02:27 PM, Alvise Dorigo wrote:
>>>
>>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager   File 
>>>> "/usr/lib/python2.6/site-packages/neutronclient/client.py", line 
>>>> 148, in _cs_request
>>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager raise 
>>>> exceptions.SslCertificateValidationError(reason=e)
>>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager 
>>>> SslCertificateValidationError: SSL certificate validation has 
>>>> failed: [Errno 1] _ssl.c:492: error:14090086:SSL 
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> 2014-05-28 19:24:35.696 10673 TRACE nova.compute.manager
>>>
>>> is your CA certificate imported, do you 'trust' your nova cert? in
>>> debian that would mean add it to /etc/ssl/certs
>>>
>>
>> Hi Gustavo,
>> I?ve copied my CA cert.pem in that directory (I?m running on CentOS 
>> 6.5), but it doesn?t seem to cure the problem.
>> I wonder if I?ve to add some particular parameter in 
>> /etc/nova/nova.conf, as I did for glance and other services: cafile, 
>> which is not documented.
>>
> simply copying the certificate there will not be sufficient. You'll 
> need to store it under the hashed DN. That's what all the .0 files are 
> there for. This short howto may help you achieve this: 
> http://ten-fingers-and-a-brain.com/2011/02/add-startssl-to-trusted-ca-store-in-openssl/
>
>
> Cheers,
> Björn
>
>>     A.
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140530/26e1ebff/attachment.html>

More information about the OpenStack-operators mailing list