Keystone certs expire every year
From /etc/keystone/ssl/certs
# This makes the Certificate Signing Request (CSR)
openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_\ cert_req.pem -outform PEM -config openssl.conf -nodes Unset Unset Unset Unset Unset US clemson-clemson-control-1
Create the signing_cert
openssl ca -config openssl.conf -keyfile cakey.pem -cert ca.pem -in signing_cer\ t_req.pem -out signing_cert_new.pem y y
Move the signing key and change ownership:
mv signing_key.pem ../private chown keystone.keystone signing_cert_new.pem sudo keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
The other openstack services maintain their own copy of the cert, so you must replace them:
cp /etc/keystone/ssl/certs/ca.pem /var/lib/nova/keystone-signing/cacert.pem cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/nova/keystone-signing/signing_cert.pem restart nova-api cp /etc/keystone/ssl/certs/ca.pem /var/lib/cinder/cacert.pem cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/cinder/signing_cert.pem restart cinder-api cp /etc/keystone/ssl/certs/ca.pem /var/lib/quantum/keystone-signing/cacert.pem cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/quantum/keystone-signing/signing_cert.pem restart quantum-server cp /etc/keystone/ssl/certs/ca.pem /var/lib/glance/keystone-signing/cacert.pem cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/glance/keystone-signing/signing_cert.pem sudo chown glance.glance /var/lib/glance/keystone-signing/cacert.pem sudo chown glance.glance /var/lib/glance/keystone-signing/signing_cert.pem restart glance-api restart glance-registry
You may need to change the ownership of the certs (other than glance) to keystone.keystone
Glance's certs must be glance.glance
Last modified 9 years ago
Last modified on 05/21/15 13:29:36