OpenStack Identity (keystone)

SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib for Keystone configuring with SSL.

Bug #1194001 reported by sasikiran on 2013-06-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned

Bug Description

Hi,

Installed Openstack Identity service(2013.1.1) through apt-get.
Ref Link: https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_SingleNode/OpenStack_Grizzly_Install_Guide.rst

I've configured SSL with keystone by following the below steps.

1) Created client, server and CA cert files using openssl.
Ref Link: https://forums.openvpn.net/topic10261.html

2) Created endpoints for keystone with HTTPS.

3) Configured in [ssl] of /etc/keystone/keystone.conf

enable = True
certfile = /root/certs/server_cert_key.pem (server cert + server key)
keyfile = /root/certs/server.key (server key)
ca_certs = /root/certs/ca.crt (Certificate Authority)
cert_required = True

4) Created openrc

export OS_TENANT_NAME=demo
export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_AUTH_URL=https://10.233.53.117:5000/v2.0/
export OS_CERT=/root/certs/client_cert_key.pem (client cert + client key)
export OS_CACERT=/root/certs/ca.crt (Certificate Authority)
export OS_SERVICE_ENDPOINT=https://10.233.53.117:35357/v2.0/
export OS_SERVICE_TOKEN=ADMIN
export OS_REGION_NAME=RegionOne

5) Source openrc.

6) Started keystone using /usr/bin/keystone-all then Keystone commands are working.

But the issue is when i start the keystone using service keystone start. Then i'm getting the following error while trying to list users, tenants, endpoints etc.

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 135, in _run
    log=WritableLogger(log))
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 663, in server
    client_socket = sock.accept()
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 279, in accept
    suppress_ragged_eofs=self.suppress_ragged_eofs)
  File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 46, in __init__
    super(GreenSSLSocket, self).__init__(sock.fd, *args, **kw)
  File "/usr/lib/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

This is not working in the case of running keystone as service.

Thanks,
Sasikiran

See original description

Tags:

sasikiran (vaddi-kiran) on 2013-06-24

affects:	launchpad → keystone
description:	updated

Revision history for this message

Andre Naehring (naehring) wrote on 2013-06-24:

The user under which the keystone runs should be granted access on the filesystem to the certificates. Put them to another location (maybe /etc/keystone/ssl) and chown to keystone user there. Then the service should start.

Revision history for this message

sasikiran (vaddi-kiran) wrote on 2013-06-24:

Thank you very much, it worked for me.

Dolph Mathews (dolph) on 2013-06-26

Changed in keystone:
status:	New → Invalid

Dolph Mathews (dolph) on 2014-08-12

tags:

added: pki

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.