OpenStack Identity (keystone)

log errors when signing/verification fail

Bug #1031317 reported by Dan Prince
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dan Prince
OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

When using Keystone w/ PKI enabled a user might see a log message like this in the log file:

2012-07-31 01:45:03 ERROR [root] Command 'openssl' returned non-zero exit status 3
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 204, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/site-packages/keystone/service.py", line 442, in authenticate
    config.CONF.signing.keyfile)
  File "/usr/lib/python2.7/site-packages/keystone/common/cms.py", line 72, in cms_sign_text
    "openssl", output=output)
CalledProcessError: Command 'openssl' returned non-zero exit status 3

-----

This can be a bit confusing... in my case the error was due to permission issues on the keys in /etc/keystone/ssl/* due to the fact that they were root:root but I run keystone the keystone daemon via package w/ a nologin keystone user account.

The error I actually wanted to see in the log file was this... which I got by adding some manual logging to common/cms.py:

2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load signing key file

Dan Prince (dan-prince)
Changed in keystone:
assignee: nobody → Dan Prince (dan-prince)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10599

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/10599
Committed: http://github.com/openstack/keystone/commit/2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8
Submitter: Jenkins
Branch: master

commit 2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8
Author: Dan Prince <email address hidden>
Date: Tue Jul 31 07:49:49 2012 -0400

    Log errors when signing/verifying.

    The patch updates the PKI cms_verify and cms_sign_text methods so
    that they log full error messages to the log file when errors occur.
    These error messages will now include useful output from the openssl
    commands that failed (which should help end users better diagnose
    configuration issues with PKI). For example:

     2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing
     key file /etc/keystone/ssl/private/signing_key.pem
     140380567730016:error:0200100D:system library:fopen:Permission
     denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
     140380567730016:error:20074002:BIO routines:FILE_CTRL:system
     lib:bss_file.c:400:
     unable to load signing key file

    Previously you'd just get an error that looked like this:

     CalledProcessError: Command 'openssl' returned non-zero exit status 3

    Fixes LP Bug #1031317.

    Change-Id: I8990ef057488fe71d077a02b443da464f99fcd94

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.