Rob Crittenden wrote:
Andrey Pavlov wrote:
Hi,
When I ran devstack with SSL I found a bug and tried to fix it -
https://review.openstack.org/#/c/242812/
But no one agree with me.
Try to apply this patch - it may help.
Also there is a chance that new bugs present in devstack that
prevented to install it with SSL.
Seeing how some other things in your local.conf might help but when I
tried to reproduce it I got the same error and it failed because Apache
didn't have an SSL listener on 443.
I'm not sure I'd recommend direct SSL in any case. I'd recommend the
tls-proxy service instead. Note that I'm pretty sure it has the same
problem: it hasn't been updated to handle port 443 for Keystone.
I'm working on switching from stud to mod_proxy if you want to take a
look and this problem is fixed there, https://review.openstack.org/301172
I'll see about adding a SSL listener to Keystone for the USE_SSL case in
the next few days.
And yeah, it's a moving target. I have an experimental gate test for
tlsproxy but it has to be requested explicitly. My plan is to enable it
as non-voting once the mod_proxy changes land so it will at least be
more obvious when things break (or maybe we can making it voting).
Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added.
But I found another, deeper problem: cinder won't listen on SSL. When
they switched to using oslo_service for WSGI they completely removed the
ability to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901
rob
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
