Re: [Openstack-operators] How to configure keystone to use SSL

Thu, 22 Sep 2016 06:52:27 -0700 

Hints to start with:

* https://mozilla.github.io/server-side-tls/ssl-config-generator/
* https://www.ssllabs.com/ssltest/
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
You definitely need to setup the WSGI as, yes, the eventlet is deprecated. Enjoy your TLS setup :) 

Bye.

On 22/09/2016 15:16, Mohammed Naser wrote:

I'm fairly sure the parameters under [ssl] are only for using the
deprecated eventlet server.  You'll need to add your SSL configuration
to the Apache VirtualHost in order to be able to get access to SSL

Good luck!

On Wed, Sep 21, 2016 at 11:14 PM, zhangjian
<[email protected]> wrote:

Hi, all
I have a mitaka environment created by packstack, and i tried to configure 
the keystone to use ssl, but failed, can anyone help me?
# keystone is a wsgi service now.


Configure steps are as following:
===============
# keystone-manage ssl_setup --keystone-user keystone --keystone-group
keystone
# chown -R keystone:keystone /etc/keystone/ssl
# keystone endpoint-create --service keystone --region RegionOne --publicurl https://{FQDN}:5000/v2.0 --internalurl https://{FQDN}:5000/v2.0 --adminurl 
https://{FQDN}:35357/v2.0
# cat /etc/keystone/keystone.conf
  ... ...
  [ssl]
  enable=True
  certfile = /etc/keystone/ssl/certs/keystone.pem
  keyfile = /etc/keystone/ssl/private/keystonekey.pem
  ca_certs = /etc/keystone/ssl/certs/ca.pem
  ca_key = /etc/keystone/ssl/private/cakey.pem

# cat keystonerc_admin
... ...
export OS_AUTH_URL=https://FQDN:5000/v2.0


# keystone endpoint-delete Old_Endpoint_For_Keystone
Unable to delete endpoint.


# systemctl restart httpd
# source keystonerc_admin

# openstack project list
Discovering versions from the identity service failed when creating the 
password plugin. Attempting to determine version from URL.
SSL exception connecting to https://FQDN:5000/v2.0/tokens: [SSL:
UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)
===============

Regards,
Kenn

_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Reply via email to