If an error occurs when the signing key file opens, it
is possible that the person who ran the
keystone-manage pki_setup command
to generate certificates and keys did not use the correct
user. When you run the keystone-manage
pki_setup command, the Identity Service
generates a set of certificates and keys in
/etc/keystone/ssl*
, which is
owned by root:root.
This can present a problem when you run the Identity
Service daemon under the keystone user account (nologin)
when you try to run PKI. Unless you run the
chown command against the files
keystone:keystone or run the keystone-manage
pki_setup command with the
--keystone-user
and
--keystone-group
parameters,
you get an error, as follows:
2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem 140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r') 140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load signing key file