The failure were caused by the formatting string for command openssl. Here is the diff to fix the issue.
$ git diff keystone/common/openssl.py
diff --git a/keystone/common/openssl.py b/keystone/common/openssl.py
index c581e8d..4ea2410 100644
--- a/keystone/common/openssl.py
+++ b/keystone/common/openssl.py
@@ -217,7 +217,7 @@ class BaseCertificateConfigure(object):
self.exec_command(['openssl', 'ca', '-batch',
'-out', '%(signing_cert)s',
'-config', '%(ssl_config)s',
- '-days', '%(valid_days)dd',
+ '-days', '%(valid_days)d',
'-cert', '%(ca_cert)s',
'-keyfile', '%(ca_private_key)s',
'-infiles', '%(request_file)s'])
$ uname -a
Linux os-cs-g3w-31.dft.twosigma.com 4.9.0-2-amd64 #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
$ git branch
master
* stable/newton
$ git log | head -4
commit 05a129e54573b6cbda1ec095f4526f2b9ba90a90
Author: Boris Bobrov <email address hidden>
Date: Tue Apr 25 14:20:36 2017 +0000
{0} keystone.tests.unit.test_cert_setup.CertSetupTestCase.test_create_pki_certs_twice_without_rebuild [0.670882s] ... FAILED
Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
Adding cache-proxy 'oslo_cache.testing.CacheIsolatingProxy' to backend.
Adding cache-proxy 'oslo_cache.testing.CacheIsolatingProxy' to backend.
Adding cache-proxy 'oslo_cache.testing.CacheIsolatingProxy' to backend.
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region._LockWrapper object at 0x7f52d697e1d0> acquired
Calling creation function
Released creation lock
The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
make_dirs path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None group=None
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None(None) group=None(None)
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/openssl.conf' mode=0640 user=None(None) group=None(None)
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/index.txt' mode=0640 user=None(None) group=None(None)
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/serial' mode=0640 user=None(None) group=None(None)
make_dirs path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0750 user=None group=None
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0750 user=None(None) group=None(None)
Running command - openssl genrsa -out /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/cakey.pem 2048
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/cakey.pem' mode=0640 user=None(None) group=None(None)
make_dirs path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None group=None
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None(None) group=None(None)
Running command - openssl req -new -x509 -extensions v3_ca -key /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/cakey.pem -out /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/ca.pem -days 3650 -config /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/ca.pem' mode=0644 user=None(None) group=None(None)
make_dirs path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/private' mode=0750 user=None group=None
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/private' mode=0750 user=None(None) group=None(None)
Running command - openssl genrsa -out /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/private/signing_key.pem 2048
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/private/signing_key.pem' mode=0640 user=None(None) group=None(None)
make_dirs path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None group=None
set_permissions: path='/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs' mode=0755 user=None(None) group=None(None)
Running command - openssl req -key /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/private/signing_key.pem -new -out /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/req.pem -config /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
Running command - openssl ca -batch -out /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/signing_cert.pem -config /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/openssl.conf -days 3650d -cert /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/ca.pem -keyfile /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/cakey.pem -infiles /home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/req.pem
Command ['openssl', 'ca', '-batch', '-out', u'/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/signing_cert.pem', '-config', u'/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/openssl.conf', '-days', '3650d', '-cert', u'/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/ca.pem', '-keyfile', u'/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/cakey.pem', '-infiles', u'/home/tsstack/openstack/keystone/keystone/tests/unit/tmp/40309/ssl/certs/req.pem'] exited with 1 - ca: Can't parse "3650d" as a number
ca: Non-positive number "3650d" for -days
ca: Use -help for summary.
)
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "keystone/tests/unit/test_cert_setup.py", line 158, in test_create_pki_certs_twice_without_rebuild
self.test_create_pki_certs()
File "keystone/tests/unit/test_cert_setup.py", line 83, in test_create_pki_certs
pki.run()
File "keystone/common/openssl.py", line 241, in run
self.build_signing_cert()
File "keystone/common/openssl.py", line 223, in build_signing_cert
'-infiles', '%(request_file)s'])
File "keystone/common/openssl.py", line 88, in exec_command
stderr=subprocess.STDOUT)
File "/usr/lib/python2.7/subprocess.py", line 219, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['openssl', 'ca', '-batch', '-out',
The Newton release EOL'd on October 13th [0]. Marking this as invalid since the release is no longer supported.
[0] https:/