keystoneauth1.exceptions.http.InternalServerError: An unexpected error prevented the server from fulfilling your request.

PKI support dropped in Pike, need to update keystone not to try to throw that data across the link.

OK so the challenge here is that the radosgw charm requests the signing cert + ca from keystone to deal with revocation of PKI formatted tokens; these are dropped as of Pike, so that information is never provided from keystone.

Fix proposed to branch: master
Review: https://review.openstack.org/492553

Fix proposed to branch: master
Review: https://review.openstack.org/492554

To confirm that revocation lists no longer have context without PKI:

hi
15:29 (hopefully) quick question about token revocation lists - do/did they only apply for PKI tokens? or do they also apply for UUID and Fernet formats as well?
15:30 we're dropping PKI support in the keystone charms they cycle - just figuring out what we do with regards to certs and ca files related to signing of revocation requests..
15:32 → ducttap__ and PsionTheory joined ⇐ tobberydberg, spzala and sbezverk quit ↔ tobberyd_ and ducttape_ popped in ↔ sjain nipped out
15:58 K<kmalloc> Morgan Fainberg jamespage: recommend not using them at all
15:59 J<jamespage> James Page kmalloc: that was what I thought
15:59 thanks for confirming
15:59 J— jamespage does not have to throw away the last hours work now :-)
15:59 → @lbragstad (opped) joined
15:59 K<kmalloc> Morgan Fainberg jamespage: use fernet tokens, do not use the revocation list (even with uuid tokens). Largely it was for pki tokens, but easiest bet turn off "revoke by id" and ignore the rev list
15:59 :)
16:00 jamespage: happy to make your life easier
16:00 J<jamespage> James Page :)

Reviewed: https://review.openstack.org/492553
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-radosgw/commit/?id=ef3529161a48b5c34105cab007cefed136ecd1ec
Submitter: Jenkins
Branch: master

commit ef3529161a48b5c34105cab007cefed136ecd1ec
Author: James Page <email address hidden>
Date: Thu Aug 10 15:39:02 2017 +0100

    keystone: PKI token format removal

    As of Pike, the OpenStack charms no longer generate the certificates
    and CA used to sign token revocation lists as this is associated with
    the PKI token format, which has been removed from OpenStack in
    favor of UUID or Fernet formats.

    Soft-fail on cert retrieval if an InternalServerError is thrown; this
    is most likely due to the fact that the keystone WSGI server cannot
    find the relevant files on the underlying filesystem.

    Change-Id: Ib592e7e47e10bed2d59c9136a3267f9c7ce8da83
    Closes-Bug: 1709189

Reviewed: https://review.openstack.org/492554
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=ee45612e7c3dd78712a0ad29576de557d144a1fd
Submitter: Zuul
Branch: master

commit ee45612e7c3dd78712a0ad29576de557d144a1fd
Author: James Page <email address hidden>
Date: Thu Aug 10 15:22:50 2017 +0100

    pki: conditional enablement of signing section

    Only enable the [signing] section of the keystone configuration
    if PKI token format is in use; other token formats don't have
    support for token revocation retrieval.

    Note that PKI format tokens are no longer supported >= Pike.

    Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
    Closes-Bug: 1709189