[Openstack] Problem authenticating tokens with signing_cert issued by external CA

Adam Young ayoung at redhat.com
Tue Apr 21 17:43:55 UTC 2015


On 04/21/2015 08:25 AM, Daniel Marks wrote:
> Hi all,
>
> being on Openstack Icehouse 2014.1.3 I am trying to exchange the default token signing certificate (the one generated during installation of the .deb package) with one signed by our CA. I followed http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html for certificate creation and signed the request with our (intermediate) CA cert. I am pretty sure the certificate is okay - I can sign and verify stuff using openssl:
>
> $ sudo openssl cms -sign  -inkey private/signing_key.pem -nosmimecap -nodetach -nocerts -noattr -signer certs/signing_cert.pem -out /tmp/test_token
> test9876
> $ sudo openssl cms -verify -certfile certs/signing_cert.pem -CAfile certs/ca.pem  -nosmimecap -nodetach -nocerts -noattr < /tmp/test_token
> test9876
> Verification successful	
>
> However, when I deploy the new ca.pem, signing_cert.pem and signing_key.pem to keystone, everything except keystone breaks.
You probably need to wipe out the old certificates cached on the various 
servers.  The certificates are fetched on demand, so just deleting the 
cached certs and restarting should do it for you.


http://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/

>
> $ keystone user-list
> +----------------------------------+------------------+---------+---------------------------------+
> |                id                |       name       | enabled |              email              |
> +----------------------------------+------------------+---------+---------------------------------+
> | befedd5af2bf49158a326dce5650bdbe |      admin       |   True  |   cloud-alerts at example.com   |
>>
> $ glance image-list
> Request returned failure status.
> Invalid OpenStack Identity credentials.
>
> glance/api.log:
> 2015-04-21 13:58:22.270 9193 WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4
> 2015-04-21 13:58:22.271 9193 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token
>
> I have no problem using same credentials and the certs generated during installation.
> I am feeling like I am missing something obvious, but I can´t figure out what. Any help is appreciated.
>
> Best regards,
> Daniel
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list