Comment 2 for bug 1728907

Was able to replicate this I believe:

- With primary fernet key as "1", create an empty key file "2".
- Perform keystone-manage fernet_rotate (which passes)[0]
- Try to authenticate [1]
- Verified "2" is an empty file

[0]

2018-02-21 12:01:57.926 3643 INFO keystone.common.token_utils [-] Starting key rotation with 3 key files: ['/etc/keystone/fernet-keys/0', '/etc/keystone/fernet-keys/1', '/etc/keystone/fernet-keys/2']
2018-02-21 12:01:57.928 3643 INFO keystone.common.token_utils [-] Created a new temporary key: /etc/keystone/fernet-keys/0.tmp
2018-02-21 12:01:57.929 3643 INFO keystone.common.token_utils [-] Current primary key is: 2
2018-02-21 12:01:57.931 3643 INFO keystone.common.token_utils [-] Next primary key will be: 3
2018-02-21 12:01:57.932 3643 INFO keystone.common.token_utils [-] Promoted key 0 to be the primary: 3
2018-02-21 12:01:57.933 3643 INFO keystone.common.token_utils [-] Become a valid new key: /etc/keystone/fernet-keys/0
2018-02-21 12:01:57.934 3643 INFO keystone.common.token_utils [-] Excess key to purge: /etc/keystone/fernet-keys/1

[1]

2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 79, in pack
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi return self.crypto.encrypt(payload).rstrip(b'=').decode('utf-8')
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 68, in crypto
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi fernet_instances = [fernet.Fernet(key) for key in keys]
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line 37, in __init__
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi "Fernet key must be 32 url-safe base64-encoded bytes."
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi ValueError: Fernet key must be 32 url-safe base64-encoded bytes.