Re: Openstack keystone with Radosgw

[lakshmi k s <lux_ks@xxxxxxxxx>]

Thanks Mark. I got past this error being root. So essentially, I copied the certs from openstack controller node to gateway node. Did the conversion using certutil and copied the files back to controller node under /var/lib/ceph/nss directory. Is this the correct directory? Ceph doc says /var/ceph/nss though. 

But after this, I tried to use curl GET command, but in vain.Same old 401 - Authorization failure. 

curl -i -X GET http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc -H "X-Auth-

Token: a510edb22f074946940cd4c07aafcd9d"

HTTP/1.1 401 Unauthorized

Date: Thu, 09 Oct 2014 19:17:31 GMT

Server: Apache/2.4.7 (Ubuntu)

Accept-Ranges: bytes

Content-Length: 12

Content-Type: text/plain; charset=utf-8

AccessDeniedroot

Not much difference in radosgw logs too. Note that the token used above is same one in ceph.conf file too. Please help.

[client.radosgw.gateway]

rgw keystone url = "">

rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d

rgw keystone accepted roles = admim Member _member_ swiftoperator

rgw keystone token cache size = 500

rgw keystone revocation interval = 500

rgw s3 auth use keystone = false

nss db path = /var/lib/ceph/nss

debug rgw = 20

host = gateway

keyring = /etc/ceph/ceph.client.radosgw.keyring

rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock

log file = /var/log/ceph/client.radosgw.gateway.log

rgw dns name = gateway

On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:

I ran into this - needed to actually be root via sudo -i or similar,
*then* it worked. Unhelpful error message is I think referring to no
intialized db.

On 09/10/14 16:36, lakshmi k s wrote:
> Good workaround. But it did not work. Not sure what this error is all
> about now.
>
> gateway@gateway:~$ openssl x509 -in /home/gateway/ca.pem -pubkey |
> certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
>
>
>
> On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> As a workaround check if your rgw host has openssl and certutil
> installed, if so you can copy the relevant unconverted certs over to it
> and convert 'em there.
>
> On 09/10/14 15:07, lakshmi k s wrote:
>  > Tried aptitude as well, but no luck.
>  >
>  > Ceph users, have you tried to install libnss3-tools or certutil tool on
>  > debian/ubuntu? If so, how did you go about this problem.
>  >
>  >
>  > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
>  > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:

>  >
>  >
>  > Ok, so that is the thing to get sorted. I'd suggest posting the error(s)
>  > you are getting perhaps here (someone else might know), but definitely
>  > to one of the Debian specific lists.
>  >
>  > In the meantime perhaps try installing the packages with aptitude rather
>  > than apt-get - if there is some fancy footwork required it is fairly
>  > smart about what needs to be done.
>  >
>  > Cheers
>  >
>  > Mark
>  >
>  > On 09/10/14 14:38, lakshmi k s wrote:
>  >  > Thanks Mark. I have been trying to install this on controller
> node. But
>  >  > for some reason, I am unable to install certutil or libnss3-tools on
>  >  > debian. I am not sure how to proceed.
>  >  >
>  >
>  >
>  >
>
>
>

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com