[Openstack-operators] How to configure keystone to use SSL

Mohammed Naser mnaser at vexxhost.com
Thu Sep 22 13:16:57 UTC 2016


I'm fairly sure the parameters under [ssl] are only for using the
deprecated eventlet server.  You'll need to add your SSL configuration
to the Apache VirtualHost in order to be able to get access to SSL

Good luck!

On Wed, Sep 21, 2016 at 11:14 PM, zhangjian
<zhangjian2011 at cn.fujitsu.com> wrote:
> Hi, all
>
>
> I have a mitaka environment created by packstack, and i tried to configure
> the keystone to use ssl, but failed, can anyone help me?
> # keystone is a wsgi service now.
>
>
> Configure steps are as following:
> ===============
> # keystone-manage ssl_setup --keystone-user keystone --keystone-group
> keystone
> # chown -R keystone:keystone /etc/keystone/ssl
> # keystone endpoint-create --service keystone --region RegionOne --publicurl
> https://{FQDN}:5000/v2.0 --internalurl https://{FQDN}:5000/v2.0 --adminurl
> https://{FQDN}:35357/v2.0
> # cat /etc/keystone/keystone.conf
>   ... ...
>   [ssl]
>   enable=True
>   certfile = /etc/keystone/ssl/certs/keystone.pem
>   keyfile = /etc/keystone/ssl/private/keystonekey.pem
>   ca_certs = /etc/keystone/ssl/certs/ca.pem
>   ca_key = /etc/keystone/ssl/private/cakey.pem
>
> # cat keystonerc_admin
> ... ...
> export OS_AUTH_URL=https://FQDN:5000/v2.0
>
>
> # keystone endpoint-delete Old_Endpoint_For_Keystone
> Unable to delete endpoint.
>
>
> # systemctl restart httpd
> # source keystonerc_admin
>
> # openstack project list
> Discovering versions from the identity service failed when creating the
> password plugin. Attempting to determine version from URL.
> SSL exception connecting to https://FQDN:5000/v2.0/tokens: [SSL:
> UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)
> ===============
>
> Regards,
> Kenn
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



More information about the OpenStack-operators mailing list