On Wed, Jul 20, 2016 at 12:29 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Rob Crittenden wrote: > >> Andrey Pavlov wrote: >> >>> Hi, >>> >>> When I ran devstack with SSL I found a bug and tried to fix it - >>> https://review.openstack.org/#/c/242812/ >>> But no one agree with me. >>> Try to apply this patch - it may help. >>> Also there is a chance that new bugs present in devstack that >>> prevented to install it with SSL. >>> >> >> Seeing how some other things in your local.conf might help but when I >> tried to reproduce it I got the same error and it failed because Apache >> didn't have an SSL listener on 443. >> >> I'm not sure I'd recommend direct SSL in any case. I'd recommend the >> tls-proxy service instead. Note that I'm pretty sure it has the same >> problem: it hasn't been updated to handle port 443 for Keystone. >> >> I'm working on switching from stud to mod_proxy if you want to take a >> look and this problem is fixed there, https://review.openstack.org/301172 >> >> I'll see about adding a SSL listener to Keystone for the USE_SSL case in >> the next few days. >> >> And yeah, it's a moving target. I have an experimental gate test for >> tlsproxy but it has to be requested explicitly. My plan is to enable it >> as non-voting once the mod_proxy changes land so it will at least be >> more obvious when things break (or maybe we can making it voting). >> > > Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added. > > But I found another, deeper problem: cinder won't listen on SSL. When they > switched to using oslo_service for WSGI they completely removed the ability > to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901 > > > rob > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > Problems like this should make us wonder why we're reimplementing basic functionality like TLS termination. Existing wsgi containers (uwsgi, gunicorn, and apache) all handle TLS termination just fine. -- - Brant
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev