Hints to start with:

* https://mozilla.github.io/server-side-tls/ssl-config-generator/
* https://www.ssllabs.com/ssltest/
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

You definitely need to setup the WSGI as, yes, the eventlet is deprecated. Enjoy your TLS setup :)

Bye.

On 22/09/2016 15:16, Mohammed Naser wrote:
I'm fairly sure the parameters under [ssl] are only for using the
deprecated eventlet server.  You'll need to add your SSL configuration
to the Apache VirtualHost in order to be able to get access to SSL

Good luck!

On Wed, Sep 21, 2016 at 11:14 PM, zhangjian
<zhangjian2...@cn.fujitsu.com> wrote:
Hi, all


I have a mitaka environment created by packstack, and i tried to configure
the keystone to use ssl, but failed, can anyone help me?
# keystone is a wsgi service now.


Configure steps are as following:
===============
# keystone-manage ssl_setup --keystone-user keystone --keystone-group
keystone
# chown -R keystone:keystone /etc/keystone/ssl
# keystone endpoint-create --service keystone --region RegionOne --publicurl https://{FQDN}:5000/v2.0 --internalurl https://{FQDN}:5000/v2.0 --adminurl
https://{FQDN}:35357/v2.0
# cat /etc/keystone/keystone.conf
  ... ...
  [ssl]
  enable=True
  certfile = /etc/keystone/ssl/certs/keystone.pem
  keyfile = /etc/keystone/ssl/private/keystonekey.pem
  ca_certs = /etc/keystone/ssl/certs/ca.pem
  ca_key = /etc/keystone/ssl/private/cakey.pem

# cat keystonerc_admin
... ...
export OS_AUTH_URL=https://FQDN:5000/v2.0


# keystone endpoint-delete Old_Endpoint_For_Keystone
Unable to delete endpoint.


# systemctl restart httpd
# source keystonerc_admin

# openstack project list
Discovering versions from the identity service failed when creating the
password plugin. Attempting to determine version from URL.
SSL exception connecting to https://FQDN:5000/v2.0/tokens: [SSL:
UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)
===============

Regards,
Kenn

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Reply via email to