Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Clark Boylan wrote: On Wed, Jul 20, 2016, at 07:01 AM, Rob Crittenden wrote: Andrey Pavlov wrote: Hi, When I ran devstack with SSL I found a bug and tried to fix it - https://review.openstack.org/#/c/242812/ But no one agree with me. Try to apply this patch - it may help. Also there is a chance that new bugs present in devstack that prevented to install it with SSL. Seeing how some other things in your local.conf might help but when I tried to reproduce it I got the same error and it failed because Apache didn't have an SSL listener on 443. I'm not sure I'd recommend direct SSL in any case. I'd recommend the tls-proxy service instead. Note that I'm pretty sure it has the same problem: it hasn't been updated to handle port 443 for Keystone. I pushed a change up (https://review.openstack.org/#/c/296771/) to enable tls-proxy in devstack-gate to see how it does and it wasn't too happy. Is it worth trying to make a push on this and just enabling it by default in devstack? The failure is due to the Keystone switch to using URLs in favor of ports to distinguish user and admin operations. The fix is fairly straightforward and I have it fixed in a related change, switching from stud to mod_proxy https://review.openstack.org/#/c/301172 I'd be fine making the tls-proxy gate job voting once we get things working again. rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
On Wed, Jul 20, 2016, at 07:01 AM, Rob Crittenden wrote: > Andrey Pavlov wrote: > > Hi, > > > > When I ran devstack with SSL I found a bug and tried to fix it - > > https://review.openstack.org/#/c/242812/ > > But no one agree with me. > > Try to apply this patch - it may help. > > Also there is a chance that new bugs present in devstack that > > prevented to install it with SSL. > > Seeing how some other things in your local.conf might help but when I > tried to reproduce it I got the same error and it failed because Apache > didn't have an SSL listener on 443. > > I'm not sure I'd recommend direct SSL in any case. I'd recommend the > tls-proxy service instead. Note that I'm pretty sure it has the same > problem: it hasn't been updated to handle port 443 for Keystone. I pushed a change up (https://review.openstack.org/#/c/296771/) to enable tls-proxy in devstack-gate to see how it does and it wasn't too happy. Is it worth trying to make a push on this and just enabling it by default in devstack? Clark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Brant Knudson wrote: On Wed, Jul 20, 2016 at 12:29 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added. But I found another, deeper problem: cinder won't listen on SSL. When they switched to using oslo_service for WSGI they completely removed the ability to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901 rob Problems like this should make us wonder why we're reimplementing basic functionality like TLS termination. Existing wsgi containers (uwsgi, gunicorn, and apache) all handle TLS termination just fine. I'm not exactly sure what you mean. If you mean that doing native TLS in eventlet is not a great idea then we are in agreement. But to remove it will should require a plan, not an unexpected side-effect of another change. rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
On Wed, Jul 20, 2016 at 12:29 PM, Rob Crittenden wrote: > Rob Crittenden wrote: > >> Andrey Pavlov wrote: >> >>> Hi, >>> >>> When I ran devstack with SSL I found a bug and tried to fix it - >>> https://review.openstack.org/#/c/242812/ >>> But no one agree with me. >>> Try to apply this patch - it may help. >>> Also there is a chance that new bugs present in devstack that >>> prevented to install it with SSL. >>> >> >> Seeing how some other things in your local.conf might help but when I >> tried to reproduce it I got the same error and it failed because Apache >> didn't have an SSL listener on 443. >> >> I'm not sure I'd recommend direct SSL in any case. I'd recommend the >> tls-proxy service instead. Note that I'm pretty sure it has the same >> problem: it hasn't been updated to handle port 443 for Keystone. >> >> I'm working on switching from stud to mod_proxy if you want to take a >> look and this problem is fixed there, https://review.openstack.org/301172 >> >> I'll see about adding a SSL listener to Keystone for the USE_SSL case in >> the next few days. >> >> And yeah, it's a moving target. I have an experimental gate test for >> tlsproxy but it has to be requested explicitly. My plan is to enable it >> as non-voting once the mod_proxy changes land so it will at least be >> more obvious when things break (or maybe we can making it voting). >> > > Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added. > > But I found another, deeper problem: cinder won't listen on SSL. When they > switched to using oslo_service for WSGI they completely removed the ability > to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901 > > > rob > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > Problems like this should make us wonder why we're reimplementing basic functionality like TLS termination. Existing wsgi containers (uwsgi, gunicorn, and apache) all handle TLS termination just fine. -- - Brant __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Rob Crittenden wrote: Andrey Pavlov wrote: Hi, When I ran devstack with SSL I found a bug and tried to fix it - https://review.openstack.org/#/c/242812/ But no one agree with me. Try to apply this patch - it may help. Also there is a chance that new bugs present in devstack that prevented to install it with SSL. Seeing how some other things in your local.conf might help but when I tried to reproduce it I got the same error and it failed because Apache didn't have an SSL listener on 443. I'm not sure I'd recommend direct SSL in any case. I'd recommend the tls-proxy service instead. Note that I'm pretty sure it has the same problem: it hasn't been updated to handle port 443 for Keystone. I'm working on switching from stud to mod_proxy if you want to take a look and this problem is fixed there, https://review.openstack.org/301172 I'll see about adding a SSL listener to Keystone for the USE_SSL case in the next few days. And yeah, it's a moving target. I have an experimental gate test for tlsproxy but it has to be requested explicitly. My plan is to enable it as non-voting once the mod_proxy changes land so it will at least be more obvious when things break (or maybe we can making it voting). Fixing Keystone is easy. An Apache VirtualHost for 443 needs to be added. But I found another, deeper problem: cinder won't listen on SSL. When they switched to using oslo_service for WSGI they completely removed the ability to use SSL. See bug https://bugs.launchpad.net/cinder/+bug/1590901 rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Andrey Pavlov wrote: Hi, When I ran devstack with SSL I found a bug and tried to fix it - https://review.openstack.org/#/c/242812/ But no one agree with me. Try to apply this patch - it may help. Also there is a chance that new bugs present in devstack that prevented to install it with SSL. Seeing how some other things in your local.conf might help but when I tried to reproduce it I got the same error and it failed because Apache didn't have an SSL listener on 443. I'm not sure I'd recommend direct SSL in any case. I'd recommend the tls-proxy service instead. Note that I'm pretty sure it has the same problem: it hasn't been updated to handle port 443 for Keystone. I'm working on switching from stud to mod_proxy if you want to take a look and this problem is fixed there, https://review.openstack.org/301172 I'll see about adding a SSL listener to Keystone for the USE_SSL case in the next few days. And yeah, it's a moving target. I have an experimental gate test for tlsproxy but it has to be requested explicitly. My plan is to enable it as non-voting once the mod_proxy changes land so it will at least be more obvious when things break (or maybe we can making it voting). rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Hi, When I ran devstack with SSL I found a bug and tried to fix it - https://review.openstack.org/#/c/242812/ But no one agree with me. Try to apply this patch - it may help. Also there is a chance that new bugs present in devstack that prevented to install it with SSL. Regards, Andrey. On Wed, Jul 20, 2016 at 4:38 AM, Wenzhi Yu (yuywz) wrote: > Thanks for your reply, Andrey. I tried set USE_SSL=True but still got the > same error: > > 2016-07-20 01:29:21.446 | Discovering versions from the identity service > failed when creating the password plugin. Attempting to determine version > from URL. > 2016-07-20 01:29:21.446 | Could not determine a suitable URL for the plugin. > > Please see the detailed log here: http://paste.openstack.org/show/538761/ > Here is my local.conf: http://paste.openstack.org/show/538762/ > 2016-07-20 > > Best Regards, > Wenzhi Yu (yuywz) > > 发件人:Andrey Pavlov > 发送时间:2016-07-19 16:46 > 主题:Re: [openstack-dev] [devstack] How to enable SSL in devStack? > 收件人:"OpenStack Development Mailing List (not for usage > questions)" > 抄送: > > just add > > USE_SSL=True > > to your localrc before run stack.sh > > Regards, > Andrey. > > On Tue, Jul 19, 2016 at 10:17 AM, Wenzhi Yu (yuywz) > wrote: >> Hi folks, >> >> I want to configure the openstack endpoints to use SSL in devStack. >> >> I searched on internet and found some posts like [1] and tried the >> configuration in the post, but devStack script failed with error messages >> like: >> "Discovering versions from the identity service failed when creating the >> password plugin. Attempting to determine version from URL. Could not >> determine a suitable URL for the plugin." >> [1]https://ask.openstack.org/en/question/45348/devstack-with-ssl/ >> >> So how to enable SSL in devStack? Can anyone please give me some guidance? >> Thanks! >> >> 2016-07-19 >> >> Best Regards, >> Wenzhi Yu (yuywz) >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Kind regards, > Andrey Pavlov. > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kind regards, Andrey Pavlov. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
Thanks for your reply, Andrey. I tried set USE_SSL=True but still got the same error: 2016-07-20 01:29:21.446 | Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. 2016-07-20 01:29:21.446 | Could not determine a suitable URL for the plugin. Please see the detailed log here: http://paste.openstack.org/show/538761/ Here is my local.conf: http://paste.openstack.org/show/538762/ 2016-07-20 Best Regards, Wenzhi Yu (yuywz) 发件人:Andrey Pavlov 发送时间:2016-07-19 16:46 主题:Re: [openstack-dev] [devstack] How to enable SSL in devStack? 收件人:"OpenStack Development Mailing List (not for usage questions)" 抄送: just add USE_SSL=True to your localrc before run stack.sh Regards, Andrey. On Tue, Jul 19, 2016 at 10:17 AM, Wenzhi Yu (yuywz) wrote: > Hi folks, > > I want to configure the openstack endpoints to use SSL in devStack. > > I searched on internet and found some posts like [1] and tried the > configuration in the post, but devStack script failed with error messages > like: > "Discovering versions from the identity service failed when creating the > password plugin. Attempting to determine version from URL. Could not > determine a suitable URL for the plugin." > [1]https://ask.openstack.org/en/question/45348/devstack-with-ssl/ > > So how to enable SSL in devStack? Can anyone please give me some guidance? > Thanks! > > 2016-07-19 > > Best Regards, > Wenzhi Yu (yuywz) > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Kind regards, Andrey Pavlov. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [devstack] How to enable SSL in devStack?
just add USE_SSL=True to your localrc before run stack.sh Regards, Andrey. On Tue, Jul 19, 2016 at 10:17 AM, Wenzhi Yu (yuywz) wrote: > Hi folks, > > I want to configure the openstack endpoints to use SSL in devStack. > > I searched on internet and found some posts like [1] and tried the > configuration in the post, but devStack script failed with error messages > like: > "Discovering versions from the identity service failed when creating the > password plugin. Attempting to determine version from URL. Could not > determine a suitable URL for the plugin." > [1]https://ask.openstack.org/en/question/45348/devstack-with-ssl/ > > So how to enable SSL in devStack? Can anyone please give me some guidance? > Thanks! > > 2016-07-19 > > Best Regards, > Wenzhi Yu (yuywz) > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Kind regards, Andrey Pavlov. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [devstack] How to enable SSL in devStack?
Hi folks, I want to configure the openstack endpoints to use SSL in devStack. I searched on internet and found some posts like [1] and tried the configuration in the post, but devStack script failed with error messages like: "Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Could not determine a suitable URL for the plugin." [1]https://ask.openstack.org/en/question/45348/devstack-with-ssl/ So how to enable SSL in devStack? Can anyone please give me some guidance? Thanks! 2016-07-19 Best Regards, Wenzhi Yu (yuywz)__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev