Hi Rob Thanks for pointing to above patch. The problem was that it could not verify ca certificate. I was trying to pass CA root certificate by --os_cacert parameter but it didn't work. Copying CA root certificate to /etc/pki/ca-trust/source/anchors and enbaling update-ca-trust did the trick.
Cheers Kashif On Tue, Nov 4, 2014 at 9:14 PM, Rob Crittenden <[email protected]> wrote: > mohammad kashif wrote: > > Hi > > I am trying to setup ssl enabled keystone using external CA > > > > my keystone.conf settings regarding ssl are > > > > [signing] > > > > certfile=/etc/grid-security/cert.pem > > > > keyfile=/etc/grid-security/key.pem > > > > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem > > > > key_size=2048 > > > > cert_subject=< DN of cert> > > > > > > [ssl] > > > > enable=True > > > > certfile=/etc/grid-security/cert.pem > > > > keyfile=/etc/grid-security/key.pem > > > > ca_certs=/etc/grid-security/certificates/UKeScienceRoot-2007.pem > > > > cert_subject=<DN of Cert> > > > > > > I commented out "ca_key" parameter which I think not needed for external > > ca certificate . > > > > I can query keystone on https endpoint with --insecure option but > > without --insecure option, it is failing with this error > > > > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): > 192.168.31.1 > > SSL exception connecting to https://192.168.31.1:35357/v2.0/users > > > > I alsto tried with --os_cacert option. > > > > I am using openstack icehouse. > > > > > > Can some one help me in troubleshooting this problem ? > > Yes, unfortunately right now keystone doesn't display the actual > problem, just that one has occurred. This is being addressed in > https://review.openstack.org/#/c/129769/ and it is probably worthwhile > to make this one-line change to see exactly what is going on. > > Were I to guess it's because you're using the IP address rather than the > FQDN. The host you request needs to match the CN in the subject of the > certificate. > > rob >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
