Duplicating upstream bug https://bugs.launchpad.net/python-keystoneclient/+bug/1297280 When keystone is configured to use SSL and its certificates are not signed by a trusted authority, all the keystone client commands return: Authorization Failed: SSL exception connecting to https://127.0.0.1:35357/v2.0/tokens It would be better to instruct the user to pass the "--insecure" command-line option to the keystone command. I set up my keystone with SSL like this: 1) Uncomment the following lines in keystone.conf: [ssl] enable = True certfile = /etc/keystone/pki/certs/ssl_cert.pem keyfile = /etc/keystone/pki/private/ssl_key.pem ca_certs = /etc/keystone/pki/certs/cacert.pem ca_key = /etc/keystone/pki/private/cakey.pem 2) Run 'keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone' and restart the service 3) Change the endpoints in the SQL table to point to https://... To get the error, source the following file (change the username and password, and make sure the endpoint correctly points to https://...): export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=18ee8218fe2d4e6e export OS_AUTH_URL=https://127.0.0.1:35357/v2.0/ Now run: keystone user-list You get: Authorization Failed: SSL exception connecting to https://127.0.0.1:35357/v2.0/tokens You are supposed to run: keystone --insecure user-list It's really hard to tell by this error message what the cause of the problems is. In addition to that, there is nothing in the keystone logs. Please provide a more informative error message, and possibly some logs to indicate what went wrong.
It would be nice if the Keystone CA were added to the system CA list via something like http://fedoraproject.org/wiki/Features/SharedSystemCertificates
Use the --os-cacert <ca-certificate> flag, not --insecure
The original problem was fixed upstream in https://review.openstack.org/#/c/129769/. With that change, keystone will now return a more useful error message in the event that certificate validation fails.