[Openstack] issue when I using pki as the token provider
Li, Chen
chen.li at intel.com
Fri Mar 7 01:12:17 UTC 2014
Thanks !
But, I still get error when I run command:
keystone user-list
Authorization Failed: Unable to sign token. (HTTP 500)
Message in /var/log/keystone/keystone.log:
2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki
2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.
I already run command:
id
uid=0(root) gid=0(root) groups=0(root)
keystone-manage pki_setup --keystone-user 0 --keystone-group 0
2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
Using configuration from /etc/keystone/ssl/certs/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'Unset'
localityName :ASN.1 12:'Unset'
organizationName :ASN.1 12:'Unset'
commonName :ASN.1 12:'www.example.com'
Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
From: Adam Young [mailto:ayoung at redhat.com]
Sent: Friday, March 07, 2014 3:01 AM
To: openstack at lists.openstack.org
Subject: Re: [Openstack] issue when I using pki as the token provider
On 03/05/2014 08:58 PM, Li, Chen wrote:
provider = keystone.token.providers.pki
That needs to be the full path to the class.
keystone.token.providers.pki.Provider
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/6d504edb/attachment.html>
More information about the Openstack
mailing list