[Openstack] Glance Image list not working after Keystone SSL setup

Devendra Gupta dev29aug at gmail.com
Tue Apr 15 02:53:45 UTC 2014


Hi Yaguang,

I already tried it but still facing the same issue. I
added auth_version=2.0 to the keystone_authtoken section on both nova and
neutron conf file and then restarted all nova and neutron services. I see
exact same error in the logs as mentioned in my previous mail.

Devendra


On Tue, Apr 15, 2014 at 7:39 AM, Yaguang Tang <heut2008 at gmail.com> wrote:

> Devendra,
>
> Please try add auth_version=2.0 to the keystone_authtoken section on both
> nova and neutron conf file. there is a bug may affect you.
> referred to
> https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/
>
>
> 2014-04-14 22:35 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:
>
> Thank you Yaguang.
>>
>> Now glance image-list is working fine with adding
>> "insecure=True" to glance-api.conf and glance-register.conf below
>> keystone_authtoken section. I'll also try the approach suggested by
>> Rob for adding cafile path.
>>
>> I also set "insecure=True" for nova and neutron. Nova is working fine
>> with SSL enabled keystone but neutron is still having weird issue. I
>> am doing Google around it and I see lots of bugs related to the issue
>> but nothing is clear if it's a bug or config issue, I am trying some
>> workarounds but nothing seems working. When I try to do "neutron
>> net-list", I can see error as "Authentication required"
>>
>> /etc/neutron/server.log shows following lines when net-list command is
>> executed:
>>
>> 2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting
>>  new HTTPS connection (1): openstack-centos65
>> 2014-04-15 03:50:35.045 24843 WARNING
>> keystoneclient.middleware.auth_token [-] Verify error: Command
>> 'openssl' returned non-zero exit status 4
>> 2014-04-15 03:50:35.048 24843 WARNING
>> keystoneclient.middleware.auth_token [-] Authorization failed for
>> token 19ecd7820e37141d83f5ff7339da6656
>> 2014-04-15 03:50:35.050 24843 INFO
>>  keystoneclient.middleware.auth_token [-] Invalid user token -
>> rejecting request
>>
>> Neutron net-list --verbose output is attached. Please let me know your
>> inputs.
>>
>> Regards,
>> Devendra Gupta
>>
>>
>> On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <heut2008 at gmail.com>wrote:
>>
>>> I think you should add insecure=True to glance-api.conf and
>>> glance-register.conf below keystone_authtoken section.
>>>
>>>
>>> 2014-04-14 12:45 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:
>>>
>>> Ok Yelu, I am trying this, though glance image-list was working fine
>>>> before configuring keystone to SSL. BTW please also see the SSL error I saw
>>>> in glance api.log
>>>>
>>>> 2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting
>>>> new HTTPS connection (1): openstack-centos65
>>>> 2014-04-14 18:08:37.039 1989 WARNING
>>>> keystoneclient.middleware.auth_token [-] Retrying on HTTP connection
>>>> exception: [Errno 1] _ssl.c:492: error:14090086:SSL
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> 2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting
>>>> new HTTPS connection (1): openstack-centos65
>>>> 2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token
>>>> [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> 2014-04-14 18:08:39.069 1989 WARNING
>>>> keystoneclient.middleware.auth_token [-] Authorization failed for token
>>>> 123aa9518c869b95c2d75ab49f12c139
>>>> 2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token
>>>> [-] Invalid user token - deferring reject downstream
>>>>
>>>> Regards,
>>>> Devendra
>>>>
>>>> On Mon, Apr 14, 2014 at 8:38 AM, Yelu <yeluaiesec at gmail.com> wrote:
>>>>
>>>>> you can curl by using your username and password
>>>>>
>>>>> --os-username XX --os-password XX
>>>>>
>>>>> and check your conf here
>>>>> are they correct
>>>>> [image: Inline image 1]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <dev29aug at gmail.com>wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have configured keystone to SSL and also update the endpoint in
>>>>>> service catalog. Keystone operations like endpoint/tenant list working
>>>>>> fine. I also update glance-api.conf and glance-registry.conf files
>>>>>> with ssl enabled keystone details but still glance is unable to find
>>>>>> images. It fails with following:
>>>>>>
>>>>>> [root at openstack-centos65 glance(keystone_admin)]# glance --insecure
>>>>>> image-list
>>>>>> Request returned failure status.
>>>>>> Invalid OpenStack Identity credentials.
>>>>>>
>>>>>> Please see attached keystone.conf, glance-api.conf and
>>>>>> glance-registry.conf and debug output of glance image-list and
>>>>>> endpoint list.
>>>>>>
>>>>>> Regards,
>>>>>> Devendra
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list:
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>> Post to     : openstack at lists.openstack.org
>>>>>> Unsubscribe :
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>
>>>
>>> --
>>> Tang Yaguang
>>>
>>> Canonical Ltd. | www.ubuntu.com | www.canonical.com
>>> Mobile:  +86 152 1094 6968
>>> gpg key: 0x187F664F
>>>
>>>
>>
>>
>
>
> --
> Tang Yaguang
>
> Canonical Ltd. | www.ubuntu.com | www.canonical.com
> Mobile:  +86 152 1094 6968
> gpg key: 0x187F664F
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/8857c52c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25108 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/8857c52c/attachment.png>


More information about the Openstack mailing list