[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
** Changed in: keystone
Status: Fix Committed = Fix Released
** Changed in: keystone
Milestone: None = kilo-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1370022
Title:
Keystone cannot cope with being behind an SSL terminator for version
list
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
When keystone set up behind SSL termintator then it returns 'http' as
protocol in URLs returned by version list command -
user@host:~$ curl https://MYHOST:5000/
{versions: {values: [{status: stable, updated:
2013-03-06T00:00:00Z, media-types: [{base: application/json,
type: application/vnd.openstack.identity-v3+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v3+xml}], id: v3.0, links:
[{href: http://MYHOST:5000/v3/;, rel: self}]}, {status:
stable, updated: 2014-04-17T00:00:00Z, media-types: [{base:
application/json, type:
application/vnd.openstack.identity-v2.0+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v2.0+xml}], id: v2.0,
links: [{href: http://MYHOST:5000/v2.0/;, rel: self},
{href: http://docs.openstack.org/api/openstack-identity-
service/2.0/content/, type: text/html, rel: describedby},
{href: http://docs.openstack.org/api/openstack-identity-service/2.0
/identity-dev-guide-2.0.pdf, type: application/pdf, rel:
describedby}]}]}}
my ha_proxyconfig -
frontend keystone_main_frontend
bind 172.31.7.253:5000
bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
default_backend keystone_main_backend
option httpclose
option http-pretend-keepalive
option forwardfor
backend keystone_main_backend
server HOST1 172.31.0.10:5000 check
server HOST2 172.31.0.12:5000 check
server HOST3 172.31.0.16:5000 check
Similar bug is here https://bugs.launchpad.net/heat/+bug/123
And because of this bug last cinder client doesn't work -
user@host:~$cinder --os-username admin --os-tenant-name admin --os-password
password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL
--debug list
ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens
Also - if I set public_endpoint and admin_endpoint in keystone.conf to use
'https' proto then all works.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
** Changed in: keystone
Status: Invalid = New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1370022
Title:
Keystone cannot cope with being behind an SSL terminator for version
list
Status in OpenStack Identity (Keystone):
New
Bug description:
When keystone set up behind SSL termintator then it returns 'http' as
protocol in URLs returned by version list command -
user@host:~$ curl https://MYHOST:5000/
{versions: {values: [{status: stable, updated:
2013-03-06T00:00:00Z, media-types: [{base: application/json,
type: application/vnd.openstack.identity-v3+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v3+xml}], id: v3.0, links:
[{href: http://MYHOST:5000/v3/;, rel: self}]}, {status:
stable, updated: 2014-04-17T00:00:00Z, media-types: [{base:
application/json, type:
application/vnd.openstack.identity-v2.0+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v2.0+xml}], id: v2.0,
links: [{href: http://MYHOST:5000/v2.0/;, rel: self},
{href: http://docs.openstack.org/api/openstack-identity-
service/2.0/content/, type: text/html, rel: describedby},
{href: http://docs.openstack.org/api/openstack-identity-service/2.0
/identity-dev-guide-2.0.pdf, type: application/pdf, rel:
describedby}]}]}}
my ha_proxyconfig -
frontend keystone_main_frontend
bind 172.31.7.253:5000
bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
default_backend keystone_main_backend
option httpclose
option http-pretend-keepalive
option forwardfor
backend keystone_main_backend
server HOST1 172.31.0.10:5000 check
server HOST2 172.31.0.12:5000 check
server HOST3 172.31.0.16:5000 check
Similar bug is here https://bugs.launchpad.net/heat/+bug/123
And because of this bug last cinder client doesn't work -
user@host:~$cinder --os-username admin --os-tenant-name admin --os-password
password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL
--debug list
ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens
Also - if I set public_endpoint and admin_endpoint in keystone.conf to use
'https' proto then all works.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
Andrey, you'll need to set 'https' in your keystone configuration in
order to use SSL with Keystone.
Maybe we can look for an opportunity to improve the documentation.
** Changed in: keystone
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1370022
Title:
Keystone cannot cope with being behind an SSL terminator for version
list
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
When keystone set up behind SSL termintator then it returns 'http' as
protocol in URLs returned by version list command -
user@host:~$ curl https://MYHOST:5000/
{versions: {values: [{status: stable, updated:
2013-03-06T00:00:00Z, media-types: [{base: application/json,
type: application/vnd.openstack.identity-v3+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v3+xml}], id: v3.0, links:
[{href: http://MYHOST:5000/v3/;, rel: self}]}, {status:
stable, updated: 2014-04-17T00:00:00Z, media-types: [{base:
application/json, type:
application/vnd.openstack.identity-v2.0+json}, {base:
application/xml, type:
application/vnd.openstack.identity-v2.0+xml}], id: v2.0,
links: [{href: http://MYHOST:5000/v2.0/;, rel: self},
{href: http://docs.openstack.org/api/openstack-identity-
service/2.0/content/, type: text/html, rel: describedby},
{href: http://docs.openstack.org/api/openstack-identity-service/2.0
/identity-dev-guide-2.0.pdf, type: application/pdf, rel:
describedby}]}]}}
my ha_proxyconfig -
frontend keystone_main_frontend
bind 172.31.7.253:5000
bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
default_backend keystone_main_backend
option httpclose
option http-pretend-keepalive
option forwardfor
backend keystone_main_backend
server HOST1 172.31.0.10:5000 check
server HOST2 172.31.0.12:5000 check
server HOST3 172.31.0.16:5000 check
Similar bug is here https://bugs.launchpad.net/heat/+bug/123
And because of this bug last cinder client doesn't work -
user@host:~$cinder --os-username admin --os-tenant-name admin --os-password
password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL
--debug list
ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens
Also - if I set public_endpoint and admin_endpoint in keystone.conf to use
'https' proto then all works.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
