Hello AJ, On Mon, 08 Jul 2013 09:25:51 +0200 Andreas Jaeger <aj@suse.com> wrote:
On 07/08/2013 06:59 AM, André Nähring wrote:
Hello,
the current default in keystone to sign tokens is to use PKI. With the shipped version of openssl in SLES11 SP3 this won't work, the subcommand "cms" is missing.
Andre,
Are you sure? I've just checked the package on my SP3 install and I see:
# openssl --help openssl:Error: '--help' is an invalid command.
Standard commands asn1parse ca ciphers cms [...]
And also: # openssl cms Usage cms [options] cert.pem ... where options are -encrypt encrypt message
Well, this is amazing ;) You are absolutly right. I did something wrong, I really expected to find "cms" in the manpage of openssl. Which gave me no result on SLES but on my local system. So, the original problem is here: --- subprocess.CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/signing_cert.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/certs/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1 --- while installing keystone and after same searching, I always got the result 3 when calling the openssl command. And this let me to check the subcommand using the manpage. So sorry, I expected a manpage to be correct. I'll give it another try with the pki right now and post the results. Greetings, André -- André Naehring Linux Consultant & Trainer Mail: naehring@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537