self-signed certificates don't function with keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla |
Invalid
|
Low
|
Dave McCowan |
Bug Description
I can access horizon via chrome, although the certificate chain is untrusted.
However, if I try to access keystone I receive the following error:
STDAKE-M-J2VL:demo sdake$ keystone user-list
/usr/local/
'python-
/usr/local/
'the 2.0.0 release.', DeprecationWarning)
/usr/local/
super(Client, self)._
/usr/local/
return f(*args, **kwargs)
/usr/local/
'the 2.0.0 release.', DeprecationWarning)
Authorization Failed: SSL exception connecting to https:/
I then run with the --insecure flag to turn off certification validation and receive the following:
STDAKE-M-J2VL:demo sdake$ keystone --insecure user-list
/usr/local/
'python-
/usr/local/
'the 2.0.0 release.', DeprecationWarning)
/usr/local/
super(Client, self)._
/usr/local/
return f(*args, **kwargs)
/usr/local/
'the 2.0.0 release.', DeprecationWarning)
/usr/local/
InsecureReque
Authorization Failed: The resource could not be found. (HTTP 404)
STDAKE-M-J2VL:demo sdake$
I am running a NAT. I tried hacking the .cnf file defaults file to force my NAT ip address into the SSL certificate, but that didn't seem to work. I ran the following operations:
[11:47:38] <dave-mccowan> kolla-ansible certificates
[11:48:28] <dave-mccowan> kolla_enable_
[11:48:48] <dave-mccowan> kolla-ansible deploy
[11:49:02] <dave-mccowan> (you also need two vips)
my 149 address is my external VIP and is where my NAT forwards to. my 148 address is my internal VIP. The internal VIP appears to work because horizon would not be functional if it were not.
Help appreciated on the getting keystone to either ignore or trust my unsigned certificate.
Changed in kolla: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → mitaka-rc1 |
assignee: | nobody → Dave McCowan (dave-mccowan) |
Changed in kolla: | |
status: | Triaged → Invalid |
Changed in kolla: | |
milestone: | mitaka-rc1 → mitaka-rc2 |
Changed in kolla: | |
milestone: | mitaka-rc2 → mitaka-rc3 |
milestone: | mitaka-rc3 → mitaka-rc2 |
The kolla-ansible playbook to generate certificates is for develop's convenience only. example and copy the CA certificate file to their client server.
The self-signed certificates that it generates will rightly generate warnings.
For deployments, operators will want to get their own certificates from a CA.
For developers, they can use the generated self-signed CAs, but need to setup their openrc files as shown in tools/openrc-