OpenStack Identity (keystone)

ssl_setup fails due to extra character in days value

Bug #1774654 reported by Wyllys Ingersoll
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Won't Fix
Undecided
Unassigned

Bug Description

When running keystone-manage ssl_setup, the openssl command generated has an extra "d" character after the days value that causes openssl command to fail with an error.

ex:keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone --rebuild
2018-06-01 10:17:52.833 69002 WARNING keystone.cmd.cli [-] keystone-manage ssl_setup is not recommended for production use.
2018-06-01 10:17:52.841 69002 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 2048
2018-06-01 10:17:53.020 69002 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Virginia/L=Ashburn/O=KeeperTech/CN=www.keepertech.com
2018-06-01 10:17:53.029 69002 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 2048
2018-06-01 10:17:53.132 69002 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Virginia/L=Ashburn/O=KeeperTech/CN=www.keepertech.com
2018-06-01 10:17:53.141 69002 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
2018-06-01 10:17:53.146 69002 ERROR keystone.common.openssl [-] Command ['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem'] exited with 1 - ca: Can't parse "3650d" as a number
ca: Non-positive number "3650d" for -days
ca: Use -help for summary.

2018-06-01 10:17:53.148 69002 CRITICAL keystone [-] CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
2018-06-01 10:17:53.148 69002 ERROR keystone Traceback (most recent call last):
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/bin/keystone-manage", line 10, in <module>
2018-06-01 10:17:53.148 69002 ERROR keystone sys.exit(main())
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/cmd/manage.py", line 47, in main
2018-06-01 10:17:53.148 69002 ERROR keystone cli.main(argv=sys.argv, config_files=config_files)
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/cmd/cli.py", line 1095, in main
2018-06-01 10:17:53.148 69002 ERROR keystone CONF.command.cmd_class.main()
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/cmd/cli.py", line 514, in main
2018-06-01 10:17:53.148 69002 ERROR keystone conf_ssl.run()
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 239, in run
2018-06-01 10:17:53.148 69002 ERROR keystone self.build_signing_cert()
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 221, in build_signing_cert
2018-06-01 10:17:53.148 69002 ERROR keystone '-infiles', '%(request_file)s'])
2018-06-01 10:17:53.148 69002 ERROR keystone File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 95, in exec_command
2018-06-01 10:17:53.148 69002 ERROR keystone raise e
2018-06-01 10:17:53.148 69002 ERROR keystone CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
2018-06-01 10:17:53.148 69002 ERROR keystone

The offending code is in keystone/command/openssl.py in the build_signing_cert function, it adds and extra "d" to the valid_days format:

      '-days', '%(valid_days)dd',

I realize that openssl is deprecated, but perhaps this fix could be made available for distros that still use the 9.3 versions in their stable releases (Ubuntu 16.04, for example).

Revision history for this message
Kristi Nikolla (knikolla) wrote :

Wyllys,

The `keystone-manage ssl_setup` command has been removed in the Newton release since we removed the possiblity of running Keystone through it's internal eventlet web server. Please use an HTTP server such as Apache HTTPD for running Keystone and for performing the SSL termination.

Mitaka, the last release supporting this command, is EOL therefore we can't push or accept a fix for this.

Revision history for this message
Wyllys Ingersoll (wyllys66) wrote :

This only occurs when using openssl 1.1. Openssl 1.0 still allows for the extra "d" on the days argument ("--days 3650d" vs "--days 3650").

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Marking this as Won't Fix since the affected release are EOL'd. I appreciate you documenting the behavior though!

As noted, would the workaround be to upgrade openssl to a version that works with that argument?

Changed in keystone:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.