Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I have a fresh installation of OpenStack Newton based on Ubuntu 16.04. I am using Ceph Object Gateway as object storage implementation which regularly makes the following call "GET http://
This call causes the following exception in the log of Keystone:
2016-10-20 14:30:33.764 13934 INFO keystone.
2016-10-20 14:30:33.889 13934 ERROR keystoneclient.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
2016-10-20 14:30:33.890 13934 ERROR keystone.
This is my keystone.conf:
[DEFAULT]
debug = false
# NOTE: log_dir alone does not work for Keystone
log_file = /var/log/
transport_url = rabbit:
[assignment]
driver = sql
[cache]
backend = oslo_cache.
enabled = true
memcache_servers = os-memcache:11211
[credential]
provider = fernet
key_repository = /etc/keystone/
[database]
connection = mysql+pymysql:
max_retries = -1
[memcache]
servers = os-memcache:11211
[oslo_messaging
driver = messagingv2
[oslo_messaging
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_
rabbit_
[oslo_middleware]
enable_
[token]
driver = sql
provider = uuid
[extra_headers]
Distribution = Ubuntu
I know that with the Newton release a lot of things have been changed regarding signing and PKI. How can calls to Keystone's revocation list be handled in the Newton release without a PKI setup?
description: | updated |
description: | updated |
We did not remove any of the PKI in newton, it was deprecated in Mitaka and didn't change much (at all?) for Newton. We will be removing it on Ocata.
Silly question, is openssl installed?