[Openstack] Glance Image list not working after Keystone SSL setup

Yaguang Tang heut2008 at gmail.com
Tue Apr 15 02:09:21 UTC 2014


Devendra,

Please try add auth_version=2.0 to the keystone_authtoken section on both
nova and neutron conf file. there is a bug may affect you.
referred to
https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/


2014-04-14 22:35 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:

> Thank you Yaguang.
>
> Now glance image-list is working fine with adding
> "insecure=True" to glance-api.conf and glance-register.conf below
> keystone_authtoken section. I'll also try the approach suggested by
> Rob for adding cafile path.
>
> I also set "insecure=True" for nova and neutron. Nova is working fine
> with SSL enabled keystone but neutron is still having weird issue. I
> am doing Google around it and I see lots of bugs related to the issue
> but nothing is clear if it's a bug or config issue, I am trying some
> workarounds but nothing seems working. When I try to do "neutron
> net-list", I can see error as "Authentication required"
>
> /etc/neutron/server.log shows following lines when net-list command is
> executed:
>
> 2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting
> new HTTPS connection (1): openstack-centos65
> 2014-04-15 03:50:35.045 24843 WARNING
> keystoneclient.middleware.auth_token [-] Verify error: Command
> 'openssl' returned non-zero exit status 4
> 2014-04-15 03:50:35.048 24843 WARNING
> keystoneclient.middleware.auth_token [-] Authorization failed for
> token 19ecd7820e37141d83f5ff7339da6656
> 2014-04-15 03:50:35.050 24843 INFO
> keystoneclient.middleware.auth_token [-] Invalid user token -
> rejecting request
>
> Neutron net-list --verbose output is attached. Please let me know your
> inputs.
>
> Regards,
> Devendra Gupta
>
>
> On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <heut2008 at gmail.com> wrote:
>
>> I think you should add insecure=True to glance-api.conf and
>> glance-register.conf below keystone_authtoken section.
>>
>>
>> 2014-04-14 12:45 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:
>>
>> Ok Yelu, I am trying this, though glance image-list was working fine
>>> before configuring keystone to SSL. BTW please also see the SSL error I saw
>>> in glance api.log
>>>
>>> 2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting
>>> new HTTPS connection (1): openstack-centos65
>>> 2014-04-14 18:08:37.039 1989 WARNING
>>> keystoneclient.middleware.auth_token [-] Retrying on HTTP connection
>>> exception: [Errno 1] _ssl.c:492: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> 2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting
>>> new HTTPS connection (1): openstack-centos65
>>> 2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token
>>> [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> 2014-04-14 18:08:39.069 1989 WARNING
>>> keystoneclient.middleware.auth_token [-] Authorization failed for token
>>> 123aa9518c869b95c2d75ab49f12c139
>>> 2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token
>>> [-] Invalid user token - deferring reject downstream
>>>
>>> Regards,
>>> Devendra
>>>
>>> On Mon, Apr 14, 2014 at 8:38 AM, Yelu <yeluaiesec at gmail.com> wrote:
>>>
>>>> you can curl by using your username and password
>>>>
>>>> --os-username XX --os-password XX
>>>>
>>>> and check your conf here
>>>> are they correct
>>>> [image: Inline image 1]
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <dev29aug at gmail.com>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have configured keystone to SSL and also update the endpoint in
>>>>> service catalog. Keystone operations like endpoint/tenant list working
>>>>> fine. I also update glance-api.conf and glance-registry.conf files
>>>>> with ssl enabled keystone details but still glance is unable to find
>>>>> images. It fails with following:
>>>>>
>>>>> [root at openstack-centos65 glance(keystone_admin)]# glance --insecure
>>>>> image-list
>>>>> Request returned failure status.
>>>>> Invalid OpenStack Identity credentials.
>>>>>
>>>>> Please see attached keystone.conf, glance-api.conf and
>>>>> glance-registry.conf and debug output of glance image-list and
>>>>> endpoint list.
>>>>>
>>>>> Regards,
>>>>> Devendra
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list:
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org
>>>>> Unsubscribe :
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>
>>
>> --
>> Tang Yaguang
>>
>> Canonical Ltd. | www.ubuntu.com | www.canonical.com
>> Mobile:  +86 152 1094 6968
>> gpg key: 0x187F664F
>>
>>
>
>


-- 
Tang Yaguang

Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile:  +86 152 1094 6968
gpg key: 0x187F664F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/be9c7bcc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25108 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/be9c7bcc/attachment.png>


More information about the Openstack mailing list