Can you send me the link at ask.openstack.org where you have replied ? Also,
There is two place where have these files [ssl] and [signing], which one should I use ??? Thanks. -chen [ssl] #enable = True #certfile = /etc/keystone/pki/certs/ssl_cert.pem #keyfile = /etc/keystone/pki/private/ssl_key.pem #ca_certs = /etc/keystone/pki/certs/cacert.pem #ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost And [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = # token_format = UUID # token_format = PKI #certfile = /etc/keystone/pki/certs/signing_cert.pem #keyfile = /etc/keystone/pki/private/signing_key.pem #ca_certs = /etc/keystone/pki/certs/cacert.pem #ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com From: Ali, Haneef [mailto:haneef....@hp.com] Sent: Friday, March 07, 2014 12:10 PM To: Li, Chen; openstack@lists.openstack.org Subject: RE: [Openstack] issue when I using pki as the token provider [signing] #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem These are the default configuration files location. Keystone-manage pki-setup would have generated those files at that location. Check whether the files are there in that location, if not adjust the config settings to correct patch. Also make sure those files are readable by the keystone process. Thanks Haneef PS: You can also look at your question at ask.openstack.org where I have replied From: Li, Chen [mailto:chen...@intel.com] Sent: Thursday, March 06, 2014 5:12 PM To: Adam Young; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] issue when I using pki as the token provider Thanks ! But, I still get error when I run command: keystone user-list Authorization Failed: Unable to sign token. (HTTP 500) Message in /var/log/keystone/keystone.log: 2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' 2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last): 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CONF.signing.keyfile) 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name) 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl") 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3 2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki 2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token. I already run command: id uid=0(root) gid=0(root) groups=0(root) keystone-manage pki_setup --keystone-user 0 --keystone-group 0 2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................+++ .......................................+++ e is 65537 (0x10001) 2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048 Generating RSA private key, 2048 bit long modulus ........+++ ..+++ e is 65537 (0x10001) 2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem Using configuration from /etc/keystone/ssl/certs/openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Unset' localityName :ASN.1 12:'Unset' organizationName :ASN.1 12:'Unset' commonName :ASN.1 12:'www.example.com' Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated From: Adam Young [mailto:ayo...@redhat.com] Sent: Friday, March 07, 2014 3:01 AM To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] issue when I using pki as the token provider On 03/05/2014 08:58 PM, Li, Chen wrote: provider = keystone.token.providers.pki That needs to be the full path to the class. keystone.token.providers.pki.Provider
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
