Openstack完成Keystone证书加密的HTTPS服务提升？

Openstack完成Keystone证书加密的HTTPS服务提升？
在网上找到相关问题，但是尝试了一直没解决，求大神们帮忙

keystone ssl

1、安装 mod_ssl 模块

yum install -y mod_ssl

2、使用 keystone-manage ssl_setup 生成证书

keystone-manage ssl_setup直接生成证书域名默认为localhost

3、生成证书(使用keystone内置命令生成的证书也是调用了openssl命令生成证书)

[root@controller ~]# keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone

(keystone日志如下 commonName 为 localhost)

[root@controller ~]# tailf /var/log/keystone/keystone.log
2014-01-02 00:12:50.593 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 1024
2014-01-02 00:12:50.631 22821 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
2014-01-02 00:12:50.643 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 1024
2014-01-02 00:12:50.667 22821 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
2014-01-02 00:12:50.676 22821 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem

(若要修改域名为controller需要更新证书,修改信息可以在/etc/keystone/ssl/certs/index.txt查看)

openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem

4、修改所属组、主

chown -R keystone:keystone /etc/keystone/ssl/

5、配置 keystone

shell openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl enable True openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl certfile /etc/keystone/ssl/certs/keystone.pem openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl keyfile /etc/keystone/ssl/private/keystonekey.pem openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl ca_certs /etc/keystone/ssl/certs/ca.pem

6、修改 wsgi

[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
......
<VirtualHost *:5000>
......
SSLEngine on
SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem 
SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem 
SSLCACertificateFile /etc/keystone/ssl/certs/ca.pem 
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient none
SSLVerifyDepth 10
...... </VirtualHost> ......

7、删除原http端点并创建https端点（域名要和countryName 相同）

export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_TOKEN=690724e95b2f8061f6d8
openstack service delete keystone
openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public https://localhost:5000/v3
openstack endpoint create --region RegionOne identity internal https://localhost:5000/v3
openstack endpoint create --region RegionOne identity admin https://localhost:35357/v3

8、配置环境变量

 [root@controller ~]# cat > /etc/keystone/admin-openrc.sh <<EOF
 export OS_PROJECT_DOMAIN_NAME=demo
 export OS_USER_DOMAIN_NAME=demo
 export OS_PROJECT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=000000
 export OS_AUTH_URL=https://localhost:35357/v3
 export OS_IDENTITY_API_VERSION=3
 export OS_IMAGE_API_VERSION=2
 export OS_CACERT=/etc/keystone/ssl/certs/ca.pem
 EOF

9、重启 httpd 服务

systemctl restart httpd memcached

10、测试

 [root@controller ~]# source /etc/keystone/admin-openrc.sh
 [root@controller ~]# openstack endpoint list --service keystone
 +----------------------------------+-----------+--------------+------------

 | 52e1e41c4f774dd1b9dfe9e87d11868a | RegionOne | keystone | identity | True
 | admin | https://localhost:35357/v3 |
 | 70a0f69a57784d708f69c0d466da0899 | RegionOne | keystone | identity | True
 | internal | https://localhost:5000/v3 |
 | af90d9434d4e453c8e771aa7908505c7 | RegionOne | keystone | identity | True
 | public | https://localhost:5000/v3 |
 +----------------------------------+-----------+--------------+------------

其他更详细信息联系我

官网

https://docs.openstack.org/mitaka/admin-guide/keystone_certificates_for_pki.html