[Openstack] SSL enabled Keystone using external CA

mohammad kashif kashif.alig at gmail.com
Wed Nov 5 16:13:37 UTC 2014


Hi Rob
Thanks for pointing to above patch. The problem was that it could not
verify ca certificate. I was trying to   pass CA root certificate by
--os_cacert parameter but it didn't work.  Copying CA root certificate to
/etc/pki/ca-trust/source/anchors and enbaling update-ca-trust did the trick.

Cheers
Kashif

On Tue, Nov 4, 2014 at 9:14 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> mohammad kashif wrote:
> > Hi
> > I am trying to setup ssl enabled keystone using external CA
> >
> > my keystone.conf settings regarding ssl are
> >
> > [signing]
> >
> > certfile=/etc/grid-security/cert.pem
> >
> > keyfile=/etc/grid-security/key.pem
> >
> > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem
> >
> > key_size=2048
> >
> > cert_subject=< DN of cert>
> >
> >
> > [ssl]
> >
> > enable=True
> >
> > certfile=/etc/grid-security/cert.pem
> >
> > keyfile=/etc/grid-security/key.pem
> >
> > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem
> >
> > cert_subject=<DN of Cert>
> >
> >
> > I commented out "ca_key" parameter which I think not needed for external
> > ca certificate .
> >
> > I can query keystone on https endpoint with --insecure option but
> > without --insecure option, it is failing with this error
> >
> > INFO:urllib3.connectionpool:Starting new HTTPS connection (1):
> 192.168.31.1
> > SSL exception connecting to https://192.168.31.1:35357/v2.0/users
> >
> >  I alsto tried with --os_cacert option.
> >
> > I am using openstack icehouse.
> >
> >
> > Can some one help me in troubleshooting this problem ?
>
> Yes, unfortunately right now keystone doesn't display the actual
> problem, just that one has occurred. This is being addressed in
> https://review.openstack.org/#/c/129769/ and it is probably worthwhile
> to make this one-line change to see exactly what is going on.
>
> Were I to guess it's because you're using the IP address rather than the
> FQDN. The host you request needs to match the CN in the subject of the
> certificate.
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141105/a0d3dbd4/attachment.html>


More information about the Openstack mailing list