[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
** Changed in: keystone Status: Fix Committed = Fix Released ** Changed in: keystone Milestone: None = kilo-2 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1370022 Title: Keystone cannot cope with being behind an SSL terminator for version list Status in OpenStack Identity (Keystone): Fix Released Bug description: When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command - user@host:~$ curl https://MYHOST:5000/ {versions: {values: [{status: stable, updated: 2013-03-06T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v3+json}, {base: application/xml, type: application/vnd.openstack.identity-v3+xml}], id: v3.0, links: [{href: http://MYHOST:5000/v3/;, rel: self}]}, {status: stable, updated: 2014-04-17T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v2.0+json}, {base: application/xml, type: application/vnd.openstack.identity-v2.0+xml}], id: v2.0, links: [{href: http://MYHOST:5000/v2.0/;, rel: self}, {href: http://docs.openstack.org/api/openstack-identity- service/2.0/content/, type: text/html, rel: describedby}, {href: http://docs.openstack.org/api/openstack-identity-service/2.0 /identity-dev-guide-2.0.pdf, type: application/pdf, rel: describedby}]}]}} my ha_proxyconfig - frontend keystone_main_frontend bind 172.31.7.253:5000 bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend keystone_main_backend option httpclose option http-pretend-keepalive option forwardfor backend keystone_main_backend server HOST1 172.31.0.10:5000 check server HOST2 172.31.0.12:5000 check server HOST3 172.31.0.16:5000 check Similar bug is here https://bugs.launchpad.net/heat/+bug/123 And because of this bug last cinder client doesn't work - user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
** Changed in: keystone Status: Invalid = New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1370022 Title: Keystone cannot cope with being behind an SSL terminator for version list Status in OpenStack Identity (Keystone): New Bug description: When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command - user@host:~$ curl https://MYHOST:5000/ {versions: {values: [{status: stable, updated: 2013-03-06T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v3+json}, {base: application/xml, type: application/vnd.openstack.identity-v3+xml}], id: v3.0, links: [{href: http://MYHOST:5000/v3/;, rel: self}]}, {status: stable, updated: 2014-04-17T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v2.0+json}, {base: application/xml, type: application/vnd.openstack.identity-v2.0+xml}], id: v2.0, links: [{href: http://MYHOST:5000/v2.0/;, rel: self}, {href: http://docs.openstack.org/api/openstack-identity- service/2.0/content/, type: text/html, rel: describedby}, {href: http://docs.openstack.org/api/openstack-identity-service/2.0 /identity-dev-guide-2.0.pdf, type: application/pdf, rel: describedby}]}]}} my ha_proxyconfig - frontend keystone_main_frontend bind 172.31.7.253:5000 bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend keystone_main_backend option httpclose option http-pretend-keepalive option forwardfor backend keystone_main_backend server HOST1 172.31.0.10:5000 check server HOST2 172.31.0.12:5000 check server HOST3 172.31.0.16:5000 check Similar bug is here https://bugs.launchpad.net/heat/+bug/123 And because of this bug last cinder client doesn't work - user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list
Andrey, you'll need to set 'https' in your keystone configuration in order to use SSL with Keystone. Maybe we can look for an opportunity to improve the documentation. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1370022 Title: Keystone cannot cope with being behind an SSL terminator for version list Status in OpenStack Identity (Keystone): Invalid Bug description: When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command - user@host:~$ curl https://MYHOST:5000/ {versions: {values: [{status: stable, updated: 2013-03-06T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v3+json}, {base: application/xml, type: application/vnd.openstack.identity-v3+xml}], id: v3.0, links: [{href: http://MYHOST:5000/v3/;, rel: self}]}, {status: stable, updated: 2014-04-17T00:00:00Z, media-types: [{base: application/json, type: application/vnd.openstack.identity-v2.0+json}, {base: application/xml, type: application/vnd.openstack.identity-v2.0+xml}], id: v2.0, links: [{href: http://MYHOST:5000/v2.0/;, rel: self}, {href: http://docs.openstack.org/api/openstack-identity- service/2.0/content/, type: text/html, rel: describedby}, {href: http://docs.openstack.org/api/openstack-identity-service/2.0 /identity-dev-guide-2.0.pdf, type: application/pdf, rel: describedby}]}]}} my ha_proxyconfig - frontend keystone_main_frontend bind 172.31.7.253:5000 bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend keystone_main_backend option httpclose option http-pretend-keepalive option forwardfor backend keystone_main_backend server HOST1 172.31.0.10:5000 check server HOST2 172.31.0.12:5000 check server HOST3 172.31.0.16:5000 check Similar bug is here https://bugs.launchpad.net/heat/+bug/123 And because of this bug last cinder client doesn't work - user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp