Keystone cannot cope with being behind an SSL terminator for version list
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Andrey Pavlov |
Bug Description
When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command -
user@host:~$ curl https:/
{"versions": {"values": [{"status": "stable", "updated": "2013-03-
my ha_proxyconfig -
frontend keystone_
bind 172.31.7.253:5000
bind 172.31.7.252:5000 ssl crt /etc/haproxy/
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
default_backend keystone_
option httpclose
option http-pretend-
option forwardfor
backend keystone_
server HOST1 172.31.0.10:5000 check
server HOST2 172.31.0.12:5000 check
server HOST3 172.31.0.16:5000 check
Similar bug is here https:/
And because of this bug last cinder client doesn't work -
user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https:/
ERROR: Unable to establish connection to http://
Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works.
Changed in keystone: | |
status: | Invalid → New |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Low |
assignee: | nobody → David Stanek (dstanek) |
Changed in keystone: | |
assignee: | nobody → Andrey Pavlov (apavlov-e) |
Changed in keystone: | |
milestone: | none → kilo-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-2 → 2015.1.0 |
tags: | added: on-verification |
tags: | removed: on-verification |
Andrey, you'll need to set 'https' in your keystone configuration in order to use SSL with Keystone.
Maybe we can look for an opportunity to improve the documentation.