Devendra, Please try add auth_version=2.0 to the keystone_authtoken section on both nova and neutron conf file. there is a bug may affect you. referred to https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/
2014-04-14 22:35 GMT+08:00 Devendra Gupta <dev29...@gmail.com>: > Thank you Yaguang. > > Now glance image-list is working fine with adding > "insecure=True" to glance-api.conf and glance-register.conf below > keystone_authtoken section. I'll also try the approach suggested by > Rob for adding cafile path. > > I also set "insecure=True" for nova and neutron. Nova is working fine > with SSL enabled keystone but neutron is still having weird issue. I > am doing Google around it and I see lots of bugs related to the issue > but nothing is clear if it's a bug or config issue, I am trying some > workarounds but nothing seems working. When I try to do "neutron > net-list", I can see error as "Authentication required" > > /etc/neutron/server.log shows following lines when net-list command is > executed: > > 2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting > new HTTPS connection (1): openstack-centos65 > 2014-04-15 03:50:35.045 24843 WARNING > keystoneclient.middleware.auth_token [-] Verify error: Command > 'openssl' returned non-zero exit status 4 > 2014-04-15 03:50:35.048 24843 WARNING > keystoneclient.middleware.auth_token [-] Authorization failed for > token 19ecd7820e37141d83f5ff7339da6656 > 2014-04-15 03:50:35.050 24843 INFO > keystoneclient.middleware.auth_token [-] Invalid user token - > rejecting request > > Neutron net-list --verbose output is attached. Please let me know your > inputs. > > Regards, > Devendra Gupta > > > On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <heut2...@gmail.com> wrote: > >> I think you should add insecure=True to glance-api.conf and >> glance-register.conf below keystone_authtoken section. >> >> >> 2014-04-14 12:45 GMT+08:00 Devendra Gupta <dev29...@gmail.com>: >> >> Ok Yelu, I am trying this, though glance image-list was working fine >>> before configuring keystone to SSL. BTW please also see the SSL error I saw >>> in glance api.log >>> >>> 2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting >>> new HTTPS connection (1): openstack-centos65 >>> 2014-04-14 18:08:37.039 1989 WARNING >>> keystoneclient.middleware.auth_token [-] Retrying on HTTP connection >>> exception: [Errno 1] _ssl.c:492: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>> 2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting >>> new HTTPS connection (1): openstack-centos65 >>> 2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token >>> [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>> 2014-04-14 18:08:39.069 1989 WARNING >>> keystoneclient.middleware.auth_token [-] Authorization failed for token >>> 123aa9518c869b95c2d75ab49f12c139 >>> 2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token >>> [-] Invalid user token - deferring reject downstream >>> >>> Regards, >>> Devendra >>> >>> On Mon, Apr 14, 2014 at 8:38 AM, Yelu <yeluaie...@gmail.com> wrote: >>> >>>> you can curl by using your username and password >>>> >>>> --os-username XX --os-password XX >>>> >>>> and check your conf here >>>> are they correct >>>> [image: Inline image 1] >>>> >>>> >>>> >>>> >>>> On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <dev29...@gmail.com>wrote: >>>> >>>>> Hi, >>>>> >>>>> I have configured keystone to SSL and also update the endpoint in >>>>> service catalog. Keystone operations like endpoint/tenant list working >>>>> fine. I also update glance-api.conf and glance-registry.conf files >>>>> with ssl enabled keystone details but still glance is unable to find >>>>> images. It fails with following: >>>>> >>>>> [root@openstack-centos65 glance(keystone_admin)]# glance --insecure >>>>> image-list >>>>> Request returned failure status. >>>>> Invalid OpenStack Identity credentials. >>>>> >>>>> Please see attached keystone.conf, glance-api.conf and >>>>> glance-registry.conf and debug output of glance image-list and >>>>> endpoint list. >>>>> >>>>> Regards, >>>>> Devendra >>>>> >>>>> _______________________________________________ >>>>> Mailing list: >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> Post to : openstack@lists.openstack.org >>>>> Unsubscribe : >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Mailing list: >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> Post to : openstack@lists.openstack.org >>> Unsubscribe : >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >> >> >> -- >> Tang Yaguang >> >> Canonical Ltd. | www.ubuntu.com | www.canonical.com >> Mobile: +86 152 1094 6968 >> gpg key: 0x187F664F >> >> > > -- Tang Yaguang Canonical Ltd. | www.ubuntu.com | www.canonical.com Mobile: +86 152 1094 6968 gpg key: 0x187F664F
<<inline: image.png>>
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
