All, Thanks, that was a huge help. The problem was indeed some stale mismatching keys sitting in the signing_dir. I removed those and reloaded them from keystone and everything is working as expected.
Cheers, -Matt On Wed, Jul 24, 2013 at 10:42 AM, Syed Armani <syed.arm...@hastexo.com>wrote: > > Great post Adam. Thanks. > > Cheers, > Syed > > > On Wed, Jul 24, 2013 at 10:54 PM, Adam Young <ayo...@redhat.com> wrote: > >> I wrote this up as a general answer. Hope it helps. >> >> https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/ >> >> >> On 07/24/2013 11:44 AM, Adam Young wrote: >> >> On 07/24/2013 10:45 AM, Salvatore Orlando wrote: >> >> Hav you tried checking the credentials that glance uses for validating >> tokens with keystone? >> >> They are defined in glance's conf files in the section: >> >> [keystone_authtoken] >> signing_dir = /var/cache/glance/api >> >> >> make sure that the directory >> /var/cache/glance/api >> exists and has the certificates in it. A good test is to remove the >> certifcates and hit the server again, as they are fetched on demand. If >> there are no certificates there after another try, either glance can't talk >> to Keystone or keystone is not handing out the certificates. >> >> auth_uri = http://127.0.0.1:5000/ >> auth_host = 127.0.0.1 >> auth_port = 35357 >> auth_protocol = http >> admin_tenant_name = service >> admin_user = glance >> admin_password = password >> >> Salvatore >> >> >> On 18 July 2013 22:16, Matt Davis <mattd5...@gmail.com> wrote: >> >>> Hello all, >>> >>> I'm working on a deployment script to install and configure my >>> OpenStack services and I'm getting a strange result with glance. It's >>> surely a bug with my script messing up a config file line, but I can't >>> interpret the glance and keystone logs to track the issue down. Here's the >>> use case: >>> >>> 1) Install keystone following the directions in the Grizzly >>> installation guide for Ubuntu 12.04. >>> 2) Install glance following the directions in the Grizzly installation >>> guide for Ubuntu 12.04. >>> 3) Run glance image-list to see if I can get an empty list. >>> >>> My result: >>> >>> ===== >>> glance --os-username=admin --os-password=secrete --os-tenant-name demo >>> --os-auth-url=http://localhost:5000/v2.0 image-list >>> >>> Request returned failure status. >>> Invalid OpenStack Identity credentials. >>> ===== >>> >>> The glance API log is as follows: >>> >>> ===== >>> 2013-07-18 11:18:24.301 6306 DEBUG >>> glance.api.middleware.version_negotiation [-] Determining version of >>> request: GET //v1/images/detail Accept: process_request >>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46 >>> 2013-07-18 11:18:24.302 6306 DEBUG >>> glance.api.middleware.version_negotiation [-] Using url versioning >>> process_request >>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59 >>> 2013-07-18 11:18:24.302 6306 DEBUG >>> glance.api.middleware.version_negotiation [-] Matched version: v1 >>> process_request >>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71 >>> 2013-07-18 11:18:24.302 6306 DEBUG >>> glance.api.middleware.version_negotiation [-] new uri /v1/images/detail >>> process_request >>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72 >>> ===== >>> >>> No entries are added to the glance registry log. If I tweak the >>> password to make the credentials invalid, I get this: >>> >>> ===== >>> glance --os-username=admin --os-password=wrong_pw --os-tenant-name demo >>> --os-auth-url=http://localhost:5000/v2.0 image-list >>> Unable to communicate with identity service: {"error": {"message": >>> "Invalid user / password", "code": 401, "title": "Not Authorized"}}. (HTTP >>> 401) >>> ===== >>> >>> So keystone is definitely looking up my credentials and responding >>> differently when they match. >>> >>> Any ideas as to where should I be looking for the issue? >>> >>> Thanks for your time! >>> >>> -Matt >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : openstack@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp >>> >>> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
