HOWTO+-+Fix+OpenStack+Nova+and+Keystone+Certificates

Suddenly, my OpenStack APIs stopped working with an ERROR: Unauthorized (HTTP 401). I could still login from the Horizon web interface though and I could still run keystone commands. I could not find much info online, but eventually it turned out to be that the SSL certificates had expired!

So here is how to fix this issue and generate certificates that they will expire in 10 years instead of one. This is tested in OpenStack Grizzly, so don't run it any other version unless you are sure that the files you mess up with contain the same contents.

Fix keystone certificates: code sed -i 's/default_days.*=.*365$/default_days     = 3650/' /usr/share/pyshared/keystone/common/openssl.py rm -rf /etc/keystone/ssl/ /etc/init.d/keystone restart keystone-manage pki_setup --keystone-user keystone code

Fix nova-cert certificates: code sed -i 's/-days.*365 /-days 3650 /' /usr/share/pyshared/nova/CA/genrootca.sh sed -i 's/default_crl_days.*=.*365$/default_crl_days       = 3650/' /usr/share/pyshared/nova/CA/openssl.cnf.tmpl sed -i 's/default_days.*=.*365$/default_days           = 3650/' /usr/share/pyshared/nova/CA/openssl.cnf.tmpl rm -rf /var/lib/nova/CA/ rm -rf /var/lib/nova/keystone-signing/ /etc/init.d/nova-cert restart pushd .; cd /etc/init.d/; for i in $( ls nova-* ); do sudo service $i restart; done; popd code

Check the expiry date of your new certificates code openssl x509 -noout -in /var/lib/nova/CA/cacert.pem -dates openssl x509 -noout -in /etc/keystone/ssl/certs/ca.pem -dates code