search

ccollicutt / swiftacular

Deploy OpenStack Swift with Ansible and Vagrant
BSD 2-Clause "Simplified" License
47 stars 13 forks source link

Keystone certificate generation error #29

Open brainstorm opened 10 years ago

brainstorm commented 10 years ago

On a clean run, again on bare metal, not blaming your excellent Vagrant/Virtualbox approach

root@owncloud-dev:/var/log/keystone# cat keystone.log.1
(keystone.openstack.common.versionutils): 2014-08-20 14:15:16,289 WARNING Deprecated: keystone.middleware.core.XmlBodyMiddleware is deprecated as of Icehouse in favor of support for "application/json" only and may be removed in K.
(keystone): 2014-08-21 06:34:20,684 CRITICAL CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/signing_cert.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
Traceback (most recent call last):
  File "/usr/bin/keystone-manage", line 51, in <module>
    cli.main(argv=sys.argv, config_files=config_files)
  File "/usr/lib/python2.7/dist-packages/keystone/cli.py", line 191, in main
    CONF.command.cmd_class.main()
  File "/usr/lib/python2.7/dist-packages/keystone/cli.py", line 132, in main
    conf_pki.run()
  File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 186, in run
    self.build_signing_cert()
  File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 180, in build_signing_cert
    '-infiles', '%(request_file)s'])
  File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 78, in exec_command
    environment.subprocess.check_call(to_exec)
  File "/usr/lib/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/signing_cert.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
ccollicutt commented 10 years ago

Is that from keystone-manage ssl_setup being run?

The ssl part with keystone is definitely a little brittle. I've never been happy with how I've got it setup, not very idempotent, also the way keystone does it changes fairly often.

You could try just keystone ssl_setup and see what is going on there and paste the errors into this ticket. :)

brainstorm commented 10 years ago

Yes, sorry I got distracted and did not paste the actual command and output:

# openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem 
-config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem 
-keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem

Using configuration from /etc/keystone/ssl/certs/openssl.conf
CA certificate and CA private key do not match
139782758885024:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
ccollicutt commented 10 years ago

Ok I will try to replicate that. Not sure if I can, but I'll give it a shot. :)