背景Openstack Queens版本

需要Openstack的Heat服務(wù)api支持HTTPS，首先Openstack各服務(wù)默認(rèn)支持HTTP要能正常訪問憔披，然后支持HTTPS首先要有證書，證書的制作過程參考本人的另一篇博客侧馅。

自簽的SSL證書創(chuàng)建與驗證過程

創(chuàng)建endpoint

$ openstack endpoint create --region RegionOne \
  orchestration public https://controller:8004/v1/%\(tenant_id\)s

配置

將生成好的證書復(fù)制一份并且賦予權(quán)限

$ cp /root/ssl/self/* /etc/heat/self/

$ chown -R heat:heat /etc/heat/self/

修改/etc/heat/heat.conf

[heat_api]
bind_port = 8004
cert_file = /etc/heat/self/server.crt
key_file = /etc/heat/self/server.key

[clients_heat]
endpoint_type = publicURL
insecure = True
url = https://10.175.183.15:8004/v1/%(tenant_id)s

重啟服務(wù)

systemctl restart openstack-heat-api.service openstack-heat-api-cfn.service openstack-heat-engine.service

查看/var/log/heat/heat-api.log

看到請求變成https就可以了

eventlet.wsgi.server [-] (9705) wsgi starting up on https://0.0.0.0:8004
INFO heat.common.wsgi [-] Started child 9706
INFO eventlet.wsgi.server [-] (9706) wsgi starting up on https://0.0.0.0:8004
INFO heat.common.wsgi [-] Started child 9707
INFO eventlet.wsgi.server [-] (9707) wsgi starting up on https://0.0.0.0:8004

修改dashboard配置文件

正當(dāng)?shù)靡庵畷r發(fā)現(xiàn)dashboard訪問不了了志衍，好奇怪萍聊，也沒有報錯

# 監(jiān)控
journalctl -xf

# 發(fā)現(xiàn)如下報錯
Feb 20 03:14:27 controller heat-api[38517]: Traceback (most recent call last):
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/greenpool.py", line 88, in _spawn_n_impl
Feb 20 03:14:27 controller heat-api[38517]: func(*args, **kwargs)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 734, in process_request
Feb 20 03:14:27 controller heat-api[38517]: proto.__init__(sock, address, self)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/SocketServer.py", line 649, in __init__
Feb 20 03:14:27 controller heat-api[38517]: self.handle()
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/BaseHTTPServer.py", line 340, in handle
Feb 20 03:14:27 controller heat-api[38517]: self.handle_one_request()
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 339, in handle_one_request
Feb 20 03:14:27 controller heat-api[38517]: self.raw_requestline = self.rfile.readline(self.server.url_length_limit)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/socket.py", line 476, in readline
Feb 20 03:14:27 controller heat-api[38517]: data = self._sock.recv(self._rbufsize)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 194, in recv
Feb 20 03:14:27 controller heat-api[38517]: return self._base_recv(buflen, flags, into=False)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 227, in _base_recv
Feb 20 03:14:27 controller heat-api[38517]: read = self.read(nbytes)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 139, in read
Feb 20 03:14:27 controller heat-api[38517]: super(GreenSSLSocket, self).read, *args, **kwargs)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 113, in _call_trampolining
Feb 20 03:14:27 controller heat-api[38517]: return func(*a, **kw)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/ssl.py", line 651, in read
Feb 20 03:14:27 controller heat-api[38517]: v = self._sslobj.read(len or 1024)
Feb 20 03:14:27 controller heat-api[38517]: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)

問題很清楚，heat-api改成https了屯蹦，dashboard認(rèn)證失敗维哈，于是開始研究httpd慈省，嘗試了很多地方配證書都失敗了论巍，最好在dashboard的配置文件中找到了問題解決辦法。

首先要先確認(rèn)有沒有安裝mod_ssl服務(wù)

$ vi /etc/openstack-dashboard/local_settings
# 修改
# Disable SSL certificate checks (useful for self-signed certificates):
OPENSTACK_SSL_NO_VERIFY = True

$ systemctl restart httpd.service

測試

在環(huán)境變量~/adminrc中加入,然后source一下

export OS_CACERT=/root/ssl/self/server.crt

CLI命令測試炕柔，正常輸出就可以把HEAT過去的http的8004相關(guān)的endpoint刪除了

$ openstack stack list

$ tail -f /var/log/heat/heat-api.log