mohammad kashif wrote: > Hi > I am trying to setup ssl enabled keystone using external CA > > my keystone.conf settings regarding ssl are > > [signing] > > certfile=/etc/grid-security/cert.pem > > keyfile=/etc/grid-security/key.pem > > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem > > key_size=2048 > > cert_subject=< DN of cert> > > > [ssl] > > enable=True > > certfile=/etc/grid-security/cert.pem > > keyfile=/etc/grid-security/key.pem > > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem > > cert_subject=<DN of Cert> > > > I commented out "ca_key" parameter which I think not needed for external > ca certificate . > > I can query keystone on https endpoint with --insecure option but > without --insecure option, it is failing with this error > > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.31.1 > SSL exception connecting to https://192.168.31.1:35357/v2.0/users > > I alsto tried with --os_cacert option. > > I am using openstack icehouse. > > > Can some one help me in troubleshooting this problem ?
Yes, unfortunately right now keystone doesn't display the actual problem, just that one has occurred. This is being addressed in https://review.openstack.org/#/c/129769/ and it is probably worthwhile to make this one-line change to see exactly what is going on. Were I to guess it's because you're using the IP address rather than the FQDN. The host you request needs to match the CN in the subject of the certificate. rob _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
