On 04/21/2015 08:25 AM, Daniel Marks wrote:
Hi all,
being on Openstack Icehouse 2014.1.3 I am trying to exchange the default token
signing certificate (the one generated during installation of the .deb package)
with one signed by our CA. I followed
http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html
for certificate creation and signed the request with our (intermediate) CA
cert. I am pretty sure the certificate is okay - I can sign and verify stuff
using openssl:
$ sudo openssl cms -sign -inkey private/signing_key.pem -nosmimecap -nodetach
-nocerts -noattr -signer certs/signing_cert.pem -out /tmp/test_token
test9876
$ sudo openssl cms -verify -certfile certs/signing_cert.pem -CAfile certs/ca.pem
-nosmimecap -nodetach -nocerts -noattr < /tmp/test_token
test9876
Verification successful
However, when I deploy the new ca.pem, signing_cert.pem and signing_key.pem to
keystone, everything except keystone breaks.
You probably need to wipe out the old certificates cached on the various
servers. The certificates are fetched on demand, so just deleting the
cached certs and restarting should do it for you.
http://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
$ keystone user-list
+----------------------------------+------------------+---------+---------------------------------+
| id | name | enabled |
email |
+----------------------------------+------------------+---------+---------------------------------+
| befedd5af2bf49158a326dce5650bdbe | admin | True |
[email protected] |
…
$ glance image-list
Request returned failure status.
Invalid OpenStack Identity credentials.
glance/api.log:
2015-04-21 13:58:22.270 9193 WARNING keystoneclient.middleware.auth_token [-]
Verify error: Command 'openssl' returned non-zero exit status 4
2015-04-21 13:58:22.271 9193 WARNING keystoneclient.middleware.auth_token [-]
Authorization failed for token
I have no problem using same credentials and the certs generated during
installation.
I am feeling like I am missing something obvious, but I can´t figure out what.
Any help is appreciated.
Best regards,
Daniel
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
