[Openstack-operators] HTTP/S Termination with Haproxy + Keystone

Tue, 21 Feb 2017 18:01:30 -0800

I'm having a strange issue with keystone after migrating all public endpoints to https (haproxy terminates the SSL connection for each service): 

openstack endpoint list

+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL | 
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
...
| 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone | identity | True | public | https://some.domain.place:5000/v3 | 
...
I have also updated my rc files appropriately. Whenever I try and use the CLI against the public endpoints in debug mode, everything starts out looking good:
REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept: application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1 python-requests/2.11.1 CPython/2.7.9" 

But then, the response body gives a non-https URL:
RESP BODY: {"version": {"status": "stable", "updated": "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links": [{"href": "http://some.domain.place:5000/v3/";, "rel": "self"}]}} 

and then the attempt to authenticate fails:
Making authentication request to http://some.domain.place:5000/v3/auth/tokens 
Starting new HTTP connection (1): some.domain.place
Unable to establish connection to http://some.domain.place:5000/v3/auth/tokens
I've restarted apache2 on my keystone hosts and I have scoured the database for any reference to a non-https public endpoint for keystone; I cannot find one.
Does anyone know why my response body is giving the wrong URL? Horizon works perfectly fine with the https endpoints; it's just the command line clients that are having issues. 

Thanks in advance,

--
v/r

Chris Apsey
[email protected]
https://www.bitskrieg.net

_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Reply via email to