Open Stack

Finally I was able to solve this issue by deleting wrong certificates form
the following path:

rm /var/lib/neutron/keystone-signing/*

Now I have a complete OpenStack environment running with SSL enabled
Keystone but all other components are running on HTTP.

I am thinking to follow the same approach and use the same certs as used in
Keystone.conf to configure all other components like nova, glance, cinder,
neutron to SSL by updating the conf, registry, paste files with cert path
and ssl_enabled to true. Please suggest if this approach have some flaws.

Regards,
Devendra

On Tue, Apr 15, 2014 at 8:23 AM, Devendra Gupta <dev29aug at gmail.com> wrote:

> Hi Yaguang,
>
> I already tried it but still facing the same issue. I
> added auth_version=2.0 to the keystone_authtoken section on both nova and
> neutron conf file and then restarted all nova and neutron services. I see
> exact same error in the logs as mentioned in my previous mail.
>
> Devendra
>
>
>
> On Tue, Apr 15, 2014 at 7:39 AM, Yaguang Tang <heut2008 at gmail.com> wrote:
>
>> Devendra,
>>
>> Please try add auth_version=2.0 to the keystone_authtoken section on both
>> nova and neutron conf file. there is a bug may affect you.
>> referred to
>> https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/
>>
>>
>> 2014-04-14 22:35 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:
>>
>> Thank you Yaguang.
>>>
>>> Now glance image-list is working fine with adding
>>> "insecure=True" to glance-api.conf and glance-register.conf below
>>> keystone_authtoken section. I'll also try the approach suggested by
>>> Rob for adding cafile path.
>>>
>>> I also set "insecure=True" for nova and neutron. Nova is working fine
>>> with SSL enabled keystone but neutron is still having weird issue. I
>>> am doing Google around it and I see lots of bugs related to the issue
>>> but nothing is clear if it's a bug or config issue, I am trying some
>>> workarounds but nothing seems working. When I try to do "neutron
>>> net-list", I can see error as "Authentication required"
>>>
>>> /etc/neutron/server.log shows following lines when net-list command is
>>> executed:
>>>
>>> 2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting
>>>  new HTTPS connection (1): openstack-centos65
>>> 2014-04-15 03:50:35.045 24843 WARNING
>>> keystoneclient.middleware.auth_token [-] Verify error: Command
>>> 'openssl' returned non-zero exit status 4
>>> 2014-04-15 03:50:35.048 24843 WARNING
>>> keystoneclient.middleware.auth_token [-] Authorization failed for
>>> token 19ecd7820e37141d83f5ff7339da6656
>>> 2014-04-15 03:50:35.050 24843 INFO
>>>  keystoneclient.middleware.auth_token [-] Invalid user token -
>>> rejecting request
>>>
>>> Neutron net-list --verbose output is attached. Please let me know your
>>> inputs.
>>>
>>> Regards,
>>> Devendra Gupta
>>>
>>>
>>> On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <heut2008 at gmail.com>wrote:
>>>
>>>> I think you should add insecure=True to glance-api.conf and
>>>> glance-register.conf below keystone_authtoken section.
>>>>
>>>>
>>>> 2014-04-14 12:45 GMT+08:00 Devendra Gupta <dev29aug at gmail.com>:
>>>>
>>>> Ok Yelu, I am trying this, though glance image-list was working fine
>>>>> before configuring keystone to SSL. BTW please also see the SSL error I saw
>>>>> in glance api.log
>>>>>
>>>>> 2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting
>>>>> new HTTPS connection (1): openstack-centos65
>>>>> 2014-04-14 18:08:37.039 1989 WARNING
>>>>> keystoneclient.middleware.auth_token [-] Retrying on HTTP connection
>>>>> exception: [Errno 1] _ssl.c:492: error:14090086:SSL
>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>> 2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting
>>>>> new HTTPS connection (1): openstack-centos65
>>>>> 2014-04-14 18:08:39.069 1989 ERROR
>>>>> keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno
>>>>> 1] _ssl.c:492: error:14090086:SSL
>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>> 2014-04-14 18:08:39.069 1989 WARNING
>>>>> keystoneclient.middleware.auth_token [-] Authorization failed for token
>>>>> 123aa9518c869b95c2d75ab49f12c139
>>>>> 2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token
>>>>> [-] Invalid user token - deferring reject downstream
>>>>>
>>>>> Regards,
>>>>> Devendra
>>>>>
>>>>> On Mon, Apr 14, 2014 at 8:38 AM, Yelu <yeluaiesec at gmail.com> wrote:
>>>>>
>>>>>> you can curl by using your username and password
>>>>>>
>>>>>> --os-username XX --os-password XX
>>>>>>
>>>>>> and check your conf here
>>>>>> are they correct
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <dev29aug at gmail.com>wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have configured keystone to SSL and also update the endpoint in
>>>>>>> service catalog. Keystone operations like endpoint/tenant list
>>>>>>> working
>>>>>>> fine. I also update glance-api.conf and glance-registry.conf files
>>>>>>> with ssl enabled keystone details but still glance is unable to find
>>>>>>> images. It fails with following:
>>>>>>>
>>>>>>> [root at openstack-centos65 glance(keystone_admin)]# glance --insecure
>>>>>>> image-list
>>>>>>> Request returned failure status.
>>>>>>> Invalid OpenStack Identity credentials.
>>>>>>>
>>>>>>> Please see attached keystone.conf, glance-api.conf and
>>>>>>> glance-registry.conf and debug output of glance image-list and
>>>>>>> endpoint list.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Devendra
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Mailing list:
>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>> Post to     : openstack at lists.openstack.org
>>>>>>> Unsubscribe :
>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list:
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org
>>>>> Unsubscribe :
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Tang Yaguang
>>>>
>>>> Canonical Ltd. | www.ubuntu.com | www.canonical.com
>>>> Mobile:  +86 152 1094 6968
>>>> gpg key: 0x187F664F
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> Tang Yaguang
>>
>> Canonical Ltd. | www.ubuntu.com | www.canonical.com
>> Mobile:  +86 152 1094 6968
>> gpg key: 0x187F664F
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140416/cd014cc9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25108 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140416/cd014cc9/attachment.png>