The following keystone commands will create them for you: keystone-manage pki_setup --keystone-user keystone --keystone-group keystone keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone chown -R keystone:keystone /etc/keystone/ssl
Mark From: Li, Chen [mailto:chen...@intel.com] Sent: Thursday, March 06, 2014 5:04 PM To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); openstack@lists.openstack.org Subject: RE: [Openstack] issue when I using PKI for token format Where can I find these certificates ?? Thanks. -chen From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mailto:mark.m.mil...@hp.com] Sent: Friday, March 07, 2014 12:25 AM To: Li, Chen; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: RE: [Openstack] issue when I using PKI for token format PKI tokens require certificates. Check to make sure that your Keystone installation created certificates and that you keystone.conf file points to them. From: Li, Chen [mailto:chen...@intel.com] Sent: Wednesday, March 05, 2014 6:00 PM To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: [Openstack] issue when I using PKI for token format Hi, I'm working under CentOS 6.4 + Havana, my keystone version is: openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana When I run command "keystone user-list", I get error: Authorization Failed: Unable to sign token. (HTTP 500) I can get error information in both "keystone-startup.log" and "keystone.log": 2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' 2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last): 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile) 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name) 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl") 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki 2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token. ~ Anyone know why this happened ??? Thanks. -chen My /etc/keystone/keystone.conf : [DEFAULT] [sql] connection = mysql://keystone:keystone@host-db/keystone [identity] [credential] [trust] [os_inherit] [catalog] driver = keystone.catalog.backends.sql.Catalog [endpoint_filter] [token] driver = keystone.token.backends.memcache.Token [cache] [policy] [ec2] [assignment] [oauth1] [ssl] [signing] [ldap] [auth] methods = external,password,token,oauth1 password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token oauth1 = keystone.auth.plugins.oauth1.OAuth [paste_deploy]
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
