[Openstack] SSL enabled Keystone using external CA

Rob Crittenden rcritten at redhat.com
Tue Nov 4 21:14:45 UTC 2014


mohammad kashif wrote:
> Hi
> I am trying to setup ssl enabled keystone using external CA
> 
> my keystone.conf settings regarding ssl are
> 
> [signing]
> 
> certfile=/etc/grid-security/cert.pem
> 
> keyfile=/etc/grid-security/key.pem
> 
> ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem
> 
> key_size=2048
> 
> cert_subject=< DN of cert>
> 
> 
> [ssl]
> 
> enable=True
> 
> certfile=/etc/grid-security/cert.pem
> 
> keyfile=/etc/grid-security/key.pem
> 
> ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem
> 
> cert_subject=<DN of Cert>
> 
> 
> I commented out "ca_key" parameter which I think not needed for external
> ca certificate .
> 
> I can query keystone on https endpoint with --insecure option but
> without --insecure option, it is failing with this error
> 
> INFO:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.31.1
> SSL exception connecting to https://192.168.31.1:35357/v2.0/users
> 
>  I alsto tried with --os_cacert option.
> 
> I am using openstack icehouse.
> 
> 
> Can some one help me in troubleshooting this problem ?

Yes, unfortunately right now keystone doesn't display the actual
problem, just that one has occurred. This is being addressed in
https://review.openstack.org/#/c/129769/ and it is probably worthwhile
to make this one-line change to see exactly what is going on.

Were I to guess it's because you're using the IP address rather than the
FQDN. The host you request needs to match the CN in the subject of the
certificate.

rob




More information about the Openstack mailing list