[Openstack] issue when I using PKI for token format
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Fri Mar 7 16:42:18 UTC 2014
The following keystone commands will create them for you:
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /etc/keystone/ssl
Mark
From: Li, Chen [mailto:chen.li at intel.com]
Sent: Thursday, March 06, 2014 5:04 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); openstack at lists.openstack.org
Subject: RE: [Openstack] issue when I using PKI for token format
Where can I find these certificates ??
Thanks.
-chen
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mailto:mark.m.miller at hp.com]
Sent: Friday, March 07, 2014 12:25 AM
To: Li, Chen; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: RE: [Openstack] issue when I using PKI for token format
PKI tokens require certificates. Check to make sure that your Keystone installation created certificates and that you keystone.conf file points to them.
From: Li, Chen [mailto:chen.li at intel.com]
Sent: Wednesday, March 05, 2014 6:00 PM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: [Openstack] issue when I using PKI for token format
Hi,
I'm working under CentOS 6.4 + Havana, my keystone version is:
openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana
When I run command "keystone user-list", I get error:
Authorization Failed: Unable to sign token. (HTTP 500)
I can get error information in both "keystone-startup.log" and "keystone.log":
2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.
~
Anyone know why this happened ???
Thanks.
-chen
My /etc/keystone/keystone.conf :
[DEFAULT]
[sql]
connection = mysql://keystone:keystone@host-db/keystone
[identity]
[credential]
[trust]
[os_inherit]
[catalog]
driver = keystone.catalog.backends.sql.Catalog
[endpoint_filter]
[token]
driver = keystone.token.backends.memcache.Token
[cache]
[policy]
[ec2]
[assignment]
[oauth1]
[ssl]
[signing]
[ldap]
[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth
[paste_deploy]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/56c2e6c8/attachment.html>
More information about the Openstack
mailing list