[Openstack] issue when I using pki as the token provider
Li, Chen
chen.li at intel.com
Fri Mar 7 05:53:21 UTC 2014
Sorry, keystone can't start is caused by other reason.
I can work with PKI now.
Thanks very much !!!!
-chen
From: Li, Chen
Sent: Friday, March 07, 2014 12:55 PM
To: 'Ali, Haneef'; openstack at lists.openstack.org
Subject: RE: [Openstack] issue when I using pki as the token provider
Keystone can't start.......
Error in /var/log/keystone/keystone.log:
2014-03-07 12:50:32.808 28240 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 12:50:32.983 28240 CRITICAL keystone [-] cannot import name exceptions
Files:
/etc/keystone/ssl/certs
-rw-r--r-- 1 keystone keystone 4251 Mar 6 13:01 01.pem
-rw-r----- 1 keystone keystone 1679 Mar 6 13:01 cakey.pem
-rw-r--r-- 1 keystone keystone 1277 Mar 6 13:01 ca.pem
-rw-r----- 1 keystone keystone 70 Mar 6 13:01 index.txt
-rw-r--r-- 1 keystone keystone 20 Mar 6 13:01 index.txt.attr
-rw-r----- 1 keystone keystone 0 Mar 6 13:01 index.txt.old
-rw-r----- 1 keystone keystone 1920 Mar 6 13:01 openssl.conf
-rw-r--r-- 1 keystone keystone 1037 Mar 6 13:01 req.pem
-rw-r----- 1 keystone keystone 3 Mar 6 13:01 serial
-rw-r----- 1 keystone keystone 2 Mar 6 13:01 serial.old
-rw-r--r-- 1 keystone keystone 4251 Mar 6 13:01 signing_cert.pem
/etc/keystone/ssl/private
-rw-r----- 1 keystone keystone 1675 Mar 6 13:01 signing_key.pem
/etc/keystone/keystone.conf:
[DEFAULT]
[sql]
connection = mysql://keystone:keystone@host-db/keystone
[identity]
[credential]
[trust]
[os_inherit]
[catalog]
driver = keystone.catalog.backends.sql.Catalog
[endpoint_filter]
[token]
driver = keystone.token.backends.memcache.Token
provider = keystone.token.providers.pki.Provider
[cache]
[policy]
[ec2]
[assignment]
[oauth1]
[ssl]
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key= /etc/keystone/ssl/certs/cakey.pem
[ldap]
[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth
[paste_deploy]
From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Friday, March 07, 2014 12:31 PM
To: Li, Chen; openstack at lists.openstack.org
Subject: RE: [Openstack] issue when I using pki as the token provider
Certs in [ssl] section will be used to configured keystone to use https instead of http. PKI token configurations are under [signing]
[signing]
#certfile = /etc/keystone/pki/certs/signing_cert.pem
#keyfile = /etc/keystone/pki/private/signing_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
Do you have those files at that location? I don't think so.
If you look at the output below from keystone-manage pki_setup , it has generated those files at
/etc/keystone/ssl/private/signing_key.pem
/etc/keystone/ssl/certs/signing_cert.pem
Thanks
Haneef
Links are
1) https://ask.openstack.org/en/question/24911/issue-when-i-using-pki-for-token-format/
2) https://ask.openstack.org/en/question/24909/issue-when-i-using-pki-as-the-token-provider/
From: Li, Chen [mailto:chen.li at intel.com]
Sent: Thursday, March 06, 2014 8:18 PM
To: Ali, Haneef; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using pki as the token provider
Can you send me the link at ask.openstack.org where you have replied ?
Also,
There is two place where have these files [ssl] and [signing], which one should I use ???
Thanks.
-chen
[ssl]
#enable = True
#certfile = /etc/keystone/pki/certs/ssl_cert.pem
#keyfile = /etc/keystone/pki/private/ssl_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
And
[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =
# token_format = UUID
# token_format = PKI
#certfile = /etc/keystone/pki/certs/signing_cert.pem
#keyfile = /etc/keystone/pki/private/signing_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Friday, March 07, 2014 12:10 PM
To: Li, Chen; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using pki as the token provider
[signing]
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
These are the default configuration files location. Keystone-manage pki-setup would have generated those files at that location. Check whether the files are there in that location, if not adjust the config settings to correct patch. Also make sure those files are readable by the keystone process.
Thanks
Haneef
PS: You can also look at your question at ask.openstack.org where I have replied
From: Li, Chen [mailto:chen.li at intel.com]
Sent: Thursday, March 06, 2014 5:12 PM
To: Adam Young; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using pki as the token provider
Thanks !
But, I still get error when I run command:
keystone user-list
Authorization Failed: Unable to sign token. (HTTP 500)
Message in /var/log/keystone/keystone.log:
2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki
2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.
I already run command:
id
uid=0(root) gid=0(root) groups=0(root)
keystone-manage pki_setup --keystone-user 0 --keystone-group 0
2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
Using configuration from /etc/keystone/ssl/certs/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'Unset'
localityName :ASN.1 12:'Unset'
organizationName :ASN.1 12:'Unset'
commonName :ASN.1 12:'www.example.com'
Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
From: Adam Young [mailto:ayoung at redhat.com]
Sent: Friday, March 07, 2014 3:01 AM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using pki as the token provider
On 03/05/2014 08:58 PM, Li, Chen wrote:
provider = keystone.token.providers.pki
That needs to be the full path to the class.
keystone.token.providers.pki.Provider
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/1a869790/attachment.html>
More information about the Openstack
mailing list