[Openstack] issue when I using pki as the token provider

Li, Chen chen.li at intel.com
Fri Mar 7 04:55:17 UTC 2014


Keystone can't start.......

Error in /var/log/keystone/keystone.log:

2014-03-07 12:50:32.808 28240 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 12:50:32.983 28240 CRITICAL keystone [-] cannot import name exceptions

Files:

/etc/keystone/ssl/certs
-rw-r--r-- 1 keystone keystone 4251 Mar  6 13:01 01.pem
-rw-r----- 1 keystone keystone 1679 Mar  6 13:01 cakey.pem
-rw-r--r-- 1 keystone keystone 1277 Mar  6 13:01 ca.pem
-rw-r----- 1 keystone keystone   70 Mar  6 13:01 index.txt
-rw-r--r-- 1 keystone keystone   20 Mar  6 13:01 index.txt.attr
-rw-r----- 1 keystone keystone    0 Mar  6 13:01 index.txt.old
-rw-r----- 1 keystone keystone 1920 Mar  6 13:01 openssl.conf
-rw-r--r-- 1 keystone keystone 1037 Mar  6 13:01 req.pem
-rw-r----- 1 keystone keystone    3 Mar  6 13:01 serial
-rw-r----- 1 keystone keystone    2 Mar  6 13:01 serial.old
-rw-r--r-- 1 keystone keystone 4251 Mar  6 13:01 signing_cert.pem

/etc/keystone/ssl/private
-rw-r----- 1 keystone keystone 1675 Mar  6 13:01 signing_key.pem

/etc/keystone/keystone.conf:

[DEFAULT]

[sql]
connection = mysql://keystone:keystone@host-db/keystone

[identity]

[credential]

[trust]

[os_inherit]

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[endpoint_filter]

[token]
driver = keystone.token.backends.memcache.Token
provider = keystone.token.providers.pki.Provider

[cache]

[policy]

[ec2]

[assignment]

[oauth1]

[ssl]

[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key= /etc/keystone/ssl/certs/cakey.pem

[ldap]

[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]


From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Friday, March 07, 2014 12:31 PM
To: Li, Chen; openstack at lists.openstack.org
Subject: RE: [Openstack] issue when I using pki as the token provider

Certs in [ssl] section  will be used to configured keystone to use  https instead of http.  PKI token configurations are under [signing]


[signing]

#certfile = /etc/keystone/pki/certs/signing_cert.pem
#keyfile = /etc/keystone/pki/private/signing_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem

Do you have those files at that location? I don't think so.

If you look at the output below from keystone-manage pki_setup , it has generated those files at

/etc/keystone/ssl/private/signing_key.pem
/etc/keystone/ssl/certs/signing_cert.pem

Thanks
Haneef

Links are

1)      https://ask.openstack.org/en/question/24911/issue-when-i-using-pki-for-token-format/

2)      https://ask.openstack.org/en/question/24909/issue-when-i-using-pki-as-the-token-provider/




From: Li, Chen [mailto:chen.li at intel.com]
Sent: Thursday, March 06, 2014 8:18 PM
To: Ali, Haneef; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using pki as the token provider

Can you send me the link at ask.openstack.org where you have replied ?

Also,

There is two place where have these files [ssl] and [signing], which one should I use ???


Thanks.
-chen


[ssl]

#enable = True
#certfile = /etc/keystone/pki/certs/ssl_cert.pem
#keyfile = /etc/keystone/pki/private/ssl_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

And

[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =
# token_format = UUID
# token_format = PKI

#certfile = /etc/keystone/pki/certs/signing_cert.pem
#keyfile = /etc/keystone/pki/private/signing_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com


From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Friday, March 07, 2014 12:10 PM
To: Li, Chen; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using pki as the token provider

[signing]

#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem

These are the default configuration files location.  Keystone-manage pki-setup would have generated those files at that location.  Check whether the files are there in that location, if not adjust the config settings to correct patch. Also make sure those files are readable  by the  keystone process.

Thanks
Haneef

PS:  You can also look at your question at ask.openstack.org where I have replied


From: Li, Chen [mailto:chen.li at intel.com]
Sent: Thursday, March 06, 2014 5:12 PM
To: Adam Young; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using pki as the token provider

Thanks !

But, I still get error when I run command:
keystone user-list
Authorization Failed: Unable to sign token. (HTTP 500)

Message in /var/log/keystone/keystone.log:
2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     CONF.signing.keyfile)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki
2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.

I already run command:

id
uid=0(root) gid=0(root) groups=0(root)

keystone-manage pki_setup  --keystone-user 0 --keystone-group 0

2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
Using configuration from /etc/keystone/ssl/certs/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'Unset'
localityName          :ASN.1 12:'Unset'
organizationName      :ASN.1 12:'Unset'
commonName            :ASN.1 12:'www.example.com'
Certificate is to be certified until Mar  3 05:01:20 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated



From: Adam Young [mailto:ayoung at redhat.com]
Sent: Friday, March 07, 2014 3:01 AM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using pki as the token provider

On 03/05/2014 08:58 PM, Li, Chen wrote:
provider = keystone.token.providers.pki
That needs to be the full path to the class.

 keystone.token.providers.pki.Provider
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/eff4b034/attachment.html>


More information about the Openstack mailing list