[Openstack] issue when I using pki as the token provider

Li, Chen chen.li at intel.com
Fri Mar 7 01:12:17 UTC 2014


Thanks !

But, I still get error when I run command:
keystone user-list
Authorization Failed: Unable to sign token. (HTTP 500)

Message in /var/log/keystone/keystone.log:
2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     CONF.signing.keyfile)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki
2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.

I already run command:

id
uid=0(root) gid=0(root) groups=0(root)

keystone-manage pki_setup  --keystone-user 0 --keystone-group 0

2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
Using configuration from /etc/keystone/ssl/certs/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'Unset'
localityName          :ASN.1 12:'Unset'
organizationName      :ASN.1 12:'Unset'
commonName            :ASN.1 12:'www.example.com'
Certificate is to be certified until Mar  3 05:01:20 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated



From: Adam Young [mailto:ayoung at redhat.com]
Sent: Friday, March 07, 2014 3:01 AM
To: openstack at lists.openstack.org
Subject: Re: [Openstack] issue when I using pki as the token provider

On 03/05/2014 08:58 PM, Li, Chen wrote:
provider = keystone.token.providers.pki
That needs to be the full path to the class.

 keystone.token.providers.pki.Provider
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/6d504edb/attachment.html>


More information about the Openstack mailing list