We had this issue. OS_CAcert doesn't do what you think it does. If I remember correctly its for client certs or something of the like. For us - we had to include the bundle of signing CA into the cert file. Our ssl config is like:
ca_certs=/path/to/your-ca-ssl-bundle.crt certfile=/path/to/sslcert-withbundle-appeneded-to-the-end.crt keystfile=/path/to/privatekeyforcert.key cert_subject= ca_key= The your-ca-ssl-bundle.crt should come from your ssl cert provider and you should be able to find it publicly available. You can create a bundle via: https://support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Gui Maluf <[email protected]<mailto:[email protected]>> Date: Tuesday, February 10, 2015 at 4:40 PM To: "Kris G. Lindgren" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL Something wrong with my certificates and Keystone, cause changing to self-signed certificates everything is working. On Tue, Feb 10, 2015 at 8:52 PM, Gui Maluf <[email protected]<mailto:[email protected]>> wrote: http://paste.openstack.org/show/171017/ On Tue, Feb 10, 2015 at 8:33 PM, Kris G. Lindgren <[email protected]<mailto:[email protected]>> wrote: Can you post your haproxy config file? ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Gui Maluf <[email protected]<mailto:[email protected]>> Date: Tuesday, February 10, 2015 at 3:25 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [Openstack-operators] Swift-Proxy + Keystone with HAProxy and SSL hey guy, my production environment is down for two days and I can't fixit. I had 3 keystone+swiftproxy nodes, balanced with DNS-RR and endpoints pointing to DNS; keystone running on 5000/35357 and swift on 443, both with self-signed certificate and native ssl; Then I've changed the swiftproxy to run on port 8080, disable the native SSL, set up HAProxy(real LB with healthcheck and SSL passthrough) redirecting tcp connections to keystone/swiftproxy nodes and changed keystone endpoints pointing to HAProxy hostname with specific ports. What is happening now: Using curl I can access keystone api with -k and passing --cacert, but with keystoneclient, even with OS_CACERT, I can't run any command without the --insecure flag Authorization Failed: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https Swift just don't work neither through API or swiftclient. Someone could help me please? What else should I do to change swift-proxy port and to have a HAProxy pointing to that.? thanks -- guilherme \n \t maluf -- guilherme \n \t maluf -- guilherme \n \t maluf
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
