Hi Yaguang, I already tried it but still facing the same issue. I added auth_version=2.0 to the keystone_authtoken section on both nova and neutron conf file and then restarted all nova and neutron services. I see exact same error in the logs as mentioned in my previous mail.
Devendra On Tue, Apr 15, 2014 at 7:39 AM, Yaguang Tang <heut2...@gmail.com> wrote: > Devendra, > > Please try add auth_version=2.0 to the keystone_authtoken section on both > nova and neutron conf file. there is a bug may affect you. > referred to > https://ask.openstack.org/en/question/8235/havana-neutron-unauthorized-authentication-required/ > > > 2014-04-14 22:35 GMT+08:00 Devendra Gupta <dev29...@gmail.com>: > > Thank you Yaguang. >> >> Now glance image-list is working fine with adding >> "insecure=True" to glance-api.conf and glance-register.conf below >> keystone_authtoken section. I'll also try the approach suggested by >> Rob for adding cafile path. >> >> I also set "insecure=True" for nova and neutron. Nova is working fine >> with SSL enabled keystone but neutron is still having weird issue. I >> am doing Google around it and I see lots of bugs related to the issue >> but nothing is clear if it's a bug or config issue, I am trying some >> workarounds but nothing seems working. When I try to do "neutron >> net-list", I can see error as "Authentication required" >> >> /etc/neutron/server.log shows following lines when net-list command is >> executed: >> >> 2014-04-15 03:50:34.947 24843 INFO urllib3.connectionpool [-] Starting >> new HTTPS connection (1): openstack-centos65 >> 2014-04-15 03:50:35.045 24843 WARNING >> keystoneclient.middleware.auth_token [-] Verify error: Command >> 'openssl' returned non-zero exit status 4 >> 2014-04-15 03:50:35.048 24843 WARNING >> keystoneclient.middleware.auth_token [-] Authorization failed for >> token 19ecd7820e37141d83f5ff7339da6656 >> 2014-04-15 03:50:35.050 24843 INFO >> keystoneclient.middleware.auth_token [-] Invalid user token - >> rejecting request >> >> Neutron net-list --verbose output is attached. Please let me know your >> inputs. >> >> Regards, >> Devendra Gupta >> >> >> On Mon, Apr 14, 2014 at 11:27 AM, Yaguang Tang <heut2...@gmail.com>wrote: >> >>> I think you should add insecure=True to glance-api.conf and >>> glance-register.conf below keystone_authtoken section. >>> >>> >>> 2014-04-14 12:45 GMT+08:00 Devendra Gupta <dev29...@gmail.com>: >>> >>> Ok Yelu, I am trying this, though glance image-list was working fine >>>> before configuring keystone to SSL. BTW please also see the SSL error I saw >>>> in glance api.log >>>> >>>> 2014-04-14 18:08:37.011 1989 INFO urllib3.connectionpool [-] Starting >>>> new HTTPS connection (1): openstack-centos65 >>>> 2014-04-14 18:08:37.039 1989 WARNING >>>> keystoneclient.middleware.auth_token [-] Retrying on HTTP connection >>>> exception: [Errno 1] _ssl.c:492: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>> 2014-04-14 18:08:39.041 1989 INFO urllib3.connectionpool [-] Starting >>>> new HTTPS connection (1): openstack-centos65 >>>> 2014-04-14 18:08:39.069 1989 ERROR keystoneclient.middleware.auth_token >>>> [-] HTTP connection exception: [Errno 1] _ssl.c:492: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>> 2014-04-14 18:08:39.069 1989 WARNING >>>> keystoneclient.middleware.auth_token [-] Authorization failed for token >>>> 123aa9518c869b95c2d75ab49f12c139 >>>> 2014-04-14 18:08:39.070 1989 INFO keystoneclient.middleware.auth_token >>>> [-] Invalid user token - deferring reject downstream >>>> >>>> Regards, >>>> Devendra >>>> >>>> On Mon, Apr 14, 2014 at 8:38 AM, Yelu <yeluaie...@gmail.com> wrote: >>>> >>>>> you can curl by using your username and password >>>>> >>>>> --os-username XX --os-password XX >>>>> >>>>> and check your conf here >>>>> are they correct >>>>> [image: Inline image 1] >>>>> >>>>> >>>>> >>>>> >>>>> On Sun, Apr 13, 2014 at 7:52 PM, Devendra Gupta <dev29...@gmail.com>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have configured keystone to SSL and also update the endpoint in >>>>>> service catalog. Keystone operations like endpoint/tenant list working >>>>>> fine. I also update glance-api.conf and glance-registry.conf files >>>>>> with ssl enabled keystone details but still glance is unable to find >>>>>> images. It fails with following: >>>>>> >>>>>> [root@openstack-centos65 glance(keystone_admin)]# glance --insecure >>>>>> image-list >>>>>> Request returned failure status. >>>>>> Invalid OpenStack Identity credentials. >>>>>> >>>>>> Please see attached keystone.conf, glance-api.conf and >>>>>> glance-registry.conf and debug output of glance image-list and >>>>>> endpoint list. >>>>>> >>>>>> Regards, >>>>>> Devendra >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> Post to : openstack@lists.openstack.org >>>>>> Unsubscribe : >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Mailing list: >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>> Post to : openstack@lists.openstack.org >>>> Unsubscribe : >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>> >>>> >>> >>> >>> -- >>> Tang Yaguang >>> >>> Canonical Ltd. | www.ubuntu.com | www.canonical.com >>> Mobile: +86 152 1094 6968 >>> gpg key: 0x187F664F >>> >>> >> >> > > > -- > Tang Yaguang > > Canonical Ltd. | www.ubuntu.com | www.canonical.com > Mobile: +86 152 1094 6968 > gpg key: 0x187F664F > >
<<inline: image.png>>
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
