Do you have this in your haproxy front end config? reqadd X-Forwarded-Proto:\ https
And this in your keystone.conf ? secure_proxy_ssl_header=HTTP_X_FORWARDED_PROTO I think that’s what I had to do to tell haproxy to add a headder that keystone then matched to know when to return https. > On Feb 21, 2017, at 8:56 PM, Chris Apsey <[email protected]> wrote: > > I'm having a strange issue with keystone after migrating all public endpoints > to https (haproxy terminates the SSL connection for each service): > > openstack endpoint list > > +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+ > | ID | Region | Service Name | Service Type > | Enabled | Interface | URL | > +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+ > ... > | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone | identity > | True | public | https://some.domain.place:5000/v3 | > ... > > I have also updated my rc files appropriately. Whenever I try and use the > CLI against the public endpoints in debug mode, everything starts out looking > good: > > REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept: > application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1 > python-requests/2.11.1 CPython/2.7.9" > > But then, the response body gives a non-https URL: > > RESP BODY: {"version": {"status": "stable", "updated": > "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type": > "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links": > [{"href": "http://some.domain.place:5000/v3/";, "rel": "self"}]}} > > and then the attempt to authenticate fails: > > Making authentication request to http://some.domain.place:5000/v3/auth/tokens > Starting new HTTP connection (1): some.domain.place > Unable to establish connection to http://some.domain.place:5000/v3/auth/tokens > > I've restarted apache2 on my keystone hosts and I have scoured the database > for any reference to a non-https public endpoint for keystone; I cannot find > one. > > Does anyone know why my response body is giving the wrong URL? Horizon works > perfectly fine with the https endpoints; it's just the command line clients > that are having issues. > > Thanks in advance, > > -- > v/r > > Chris Apsey > [email protected] > https://www.bitskrieg.net > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
