Hi all, being on Openstack Icehouse 2014.1.3 I am trying to exchange the default token signing certificate (the one generated during installation of the .deb package) with one signed by our CA. I followed http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html for certificate creation and signed the request with our (intermediate) CA cert. I am pretty sure the certificate is okay - I can sign and verify stuff using openssl:
$ sudo openssl cms -sign -inkey private/signing_key.pem -nosmimecap -nodetach -nocerts -noattr -signer certs/signing_cert.pem -out /tmp/test_token test9876 $ sudo openssl cms -verify -certfile certs/signing_cert.pem -CAfile certs/ca.pem -nosmimecap -nodetach -nocerts -noattr < /tmp/test_token test9876 Verification successful However, when I deploy the new ca.pem, signing_cert.pem and signing_key.pem to keystone, everything except keystone breaks. $ keystone user-list +----------------------------------+------------------+---------+---------------------------------+ | id | name | enabled | email | +----------------------------------+------------------+---------+---------------------------------+ | befedd5af2bf49158a326dce5650bdbe | admin | True | [email protected] | … $ glance image-list Request returned failure status. Invalid OpenStack Identity credentials. glance/api.log: 2015-04-21 13:58:22.270 9193 WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4 2015-04-21 13:58:22.271 9193 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token I have no problem using same credentials and the certs generated during installation. I am feeling like I am missing something obvious, but I can´t figure out what. Any help is appreciated. Best regards, Daniel _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
