Thanks ! But, I still get error when I run command: keystone user-list Authorization Failed: Unable to sign token. (HTTP 500)
Message in /var/log/keystone/keystone.log: 2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' 2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last): 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CONF.signing.keyfile) 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name) 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl") 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki 2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token. I already run command: id uid=0(root) gid=0(root) groups=0(root) keystone-manage pki_setup --keystone-user 0 --keystone-group 0 2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................+++ .......................................+++ e is 65537 (0x10001) 2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048 Generating RSA private key, 2048 bit long modulus ........+++ ..+++ e is 65537 (0x10001) 2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem Using configuration from /etc/keystone/ssl/certs/openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Unset' localityName :ASN.1 12:'Unset' organizationName :ASN.1 12:'Unset' commonName :ASN.1 12:'www.example.com' Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated From: Adam Young [mailto:ayo...@redhat.com] Sent: Friday, March 07, 2014 3:01 AM To: openstack@lists.openstack.org Subject: Re: [Openstack] issue when I using pki as the token provider On 03/05/2014 08:58 PM, Li, Chen wrote: provider = keystone.token.providers.pki That needs to be the full path to the class. keystone.token.providers.pki.Provider
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
