[keystone] PKI tokens with HA keystone requires /etc/keystone/ssl to be synchronized across all keystone servers

[breu]

using ha-controller1 and ha-controller2 roles auth_token fails to verify PKI tokens because the cert used to sign the token is not the same across multiple keystone servers.

2014-02-12 15:50:28.406 23615 WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4
2014-02-12 15:50:28.408 23615 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token 02f9b6f12f8c40349da7e3682268f69e
2014-02-12 15:50:28.409 23615 INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request

After talking to @dolph he says that pki_setup should not be used in production and those wishing to use PKI tokens should get either a legitimately signed certificate from either a corporate/external CA or generate the CA and certs and copy them to the servers by hand.

This block should be removed: https://github.com/rcbops-cookbooks/keystone/blob/master/recipes/keystone-common.rb#L127-L132

and token_format should default to the older UUID format. default["keystone"]["pki"]["enabled"] = true https://github.com/rcbops-cookbooks/keystone/blob/master/attributes/default.rb#L157

We should also document the steps necessary to configure the CA for PKI tokens.

[mattt416]

Hi @rackerjoe,

In the setup recipe that runs on ha-controller1, we actually save the contents of the key/cert/cacert to node attributes:

https://github.com/rcbops-cookbooks/keystone/blob/master/recipes/setup.rb#L94-L102

These attributes are then used on the node running ha-controller2 to populate the files under /etc/keystone/ssl.

I've just done a test run w/ an ha-controller1/ha-controller2 node (running master cookbooks) and this worked as expected.

I'l ping you later today to see if we can track the cause of the error you encountered.

-Matt

[claco]

Closing. Can't reproduce.