Reviewed: https://review.openstack.org/24928 Committed: http://github.com/openstack/openstack-manuals/commit/d49fcf47e12b7af43544c9651edb427d318280e2 Submitter: Jenkins Branch: master
commit d49fcf47e12b7af43544c9651edb427d318280e2 Author: annegentle <[email protected]> Date: Wed Mar 20 15:38:05 2013 -0500 Warn users about possible problems when creating pki certs. Fix bug 1031372 Change-Id: I1902de5adb859e2d1d4eee27502e00b9d3d6dcff ** Changed in: openstack-manuals Status: Triaged => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1031372 Title: PKI certs not readable by keystone user Status in OpenStack Identity (Keystone): Fix Released Status in OpenStack Manuals: Fix Released Bug description: Most users are going to run 'keystone-manage pki_setup' as root. This generates a set of certificates and keys in /etc/keystone/ssl* which is owned by root:root. This is problematic when trying to then run the Keystone daemon under the 'keystone' user account (nologin) when trying to run PKI. Unless you manually chown the files keystone:keystone you'll get an error like this: 2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem 140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r') 140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load signing key file ----- Is there anything we could/should do to make configuring PKI certs a bit more streamlined? Until then I suppose we should make sure our documentation mentions the certs need to be readable by the keystone daemon user. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1031372/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
