wiki:GENIRacksHome/OpenGENIRacks/RenewKeystoneKeys

Keystone certs expire every year

From /etc/keystone/ssl/certs

# This makes the Certificate Signing Request (CSR)

openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_\
cert_req.pem -outform PEM -config openssl.conf -nodes
Unset
Unset
Unset
Unset
Unset
US
clemson-clemson-control-1

Create the signing_cert

openssl ca -config openssl.conf -keyfile cakey.pem -cert ca.pem -in signing_cer\
t_req.pem -out signing_cert_new.pem
y
y

Move the signing key and change ownership:

mv signing_key.pem ../private
chown keystone.keystone signing_cert_new.pem
sudo keystone-manage pki_setup  --keystone-user keystone --keystone-group keystone

The other openstack services maintain their own copy of the cert, so you must replace them:

cp /etc/keystone/ssl/certs/ca.pem /var/lib/nova/keystone-signing/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/nova/keystone-signing/signing_cert.pem
restart nova-api
cp /etc/keystone/ssl/certs/ca.pem /var/lib/cinder/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/cinder/signing_cert.pem
restart cinder-api
cp /etc/keystone/ssl/certs/ca.pem /var/lib/quantum/keystone-signing/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/quantum/keystone-signing/signing_cert.pem
restart quantum-server
cp /etc/keystone/ssl/certs/ca.pem /var/lib/glance/keystone-signing/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/glance/keystone-signing/signing_cert.pem
sudo chown glance.glance /var/lib/glance/keystone-signing/cacert.pem
sudo chown glance.glance /var/lib/glance/keystone-signing/signing_cert.pem
restart glance-api
restart glance-registry

You may need to change the ownership of the certs (other than glance) to keystone.keystone

Glance's certs must be glance.glance

Last modified 6 years ago Last modified on 05/21/15 13:29:36