[Openstack] issue when I using PKI for token format

Li, Chen chen.li at intel.com
Fri Mar 7 06:02:51 UTC 2014 

Problem solved.

Thanks a lot for all your help !!!
-chen


/etc/keystone/ssl/certs
-rw-r--r-- 1 keystone keystone 4251 Mar  6 13:01 01.pem
-rw-r----- 1 keystone keystone 1679 Mar  6 13:01 cakey.pem
-rw-r--r-- 1 keystone keystone 1277 Mar  6 13:01 ca.pem
-rw-r----- 1 keystone keystone   70 Mar  6 13:01 index.txt
-rw-r--r-- 1 keystone keystone   20 Mar  6 13:01 index.txt.attr
-rw-r----- 1 keystone keystone    0 Mar  6 13:01 index.txt.old
-rw-r----- 1 keystone keystone 1920 Mar  6 13:01 openssl.conf
-rw-r--r-- 1 keystone keystone 1037 Mar  6 13:01 req.pem
-rw-r----- 1 keystone keystone    3 Mar  6 13:01 serial
-rw-r----- 1 keystone keystone    2 Mar  6 13:01 serial.old
-rw-r--r-- 1 keystone keystone 4251 Mar  6 13:01 signing_cert.pem

/etc/keystone/ssl/private
-rw-r----- 1 keystone keystone 1675 Mar  6 13:01 signing_key.pem

/etc/keystone/keystone.conf:

[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key= /etc/keystone/ssl/certs/cakey.pem


From: Li, Chen [mailto:chen.li at intel.com]
Sent: Friday, March 07, 2014 9:04 AM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); openstack at lists.openstack.org
Subject: Re: [Openstack] issue when I using PKI for token format

Where can I find these certificates ??

Thanks.
-chen

From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mailto:mark.m.miller at hp.com]
Sent: Friday, March 07, 2014 12:25 AM
To: Li, Chen; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using PKI for token format

PKI tokens require certificates. Check to make sure that your Keystone installation created certificates and that you keystone.conf file points to them.

From: Li, Chen [mailto:chen.li at intel.com]
Sent: Wednesday, March 05, 2014 6:00 PM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: [Openstack] issue when I using PKI for token format


Hi,

I'm working under CentOS 6.4 + Havana, my keystone version is:
          openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana

When I run command "keystone user-list", I get error:
         Authorization Failed: Unable to sign token. (HTTP 500)

I can get error information in both "keystone-startup.log" and "keystone.log":

2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.
~

Anyone know why this happened ???

Thanks.
-chen



My /etc/keystone/keystone.conf :

[DEFAULT]

[sql]
connection = mysql://keystone:keystone@host-db/keystone

[identity]

[credential]

[trust]

[os_inherit]

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[endpoint_filter]

[token]
driver = keystone.token.backends.memcache.Token

[cache]

[policy]

[ec2]

[assignment]

[oauth1]

[ssl]

[signing]

[ldap]

[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/cbf25b1e/attachment.html>

More information about the Openstack mailing list