If you cannot find the answers you’re looking for within this document,
you can ask questions on the Freenode IRC channel #openstack-barbican
You get a HTTP 401 Unauthorized response even with a valid token
curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://localhost:9311/v1/secrets
Expired signing cert on the Barbican server.
Check for an expired Keystone signing certificate on your Barbican server.
Look at the expiration date in /tmp/barbican/cache/signing_cert.pem
. If
it is expired then follow these steps.
- On your Keystone server, verify that signing_cert.pem has the same expiration date as the one on your Barbican machine. You can normally find
signing_cert.pem
on your Keystone server in/etc/keystone/ssl/certs
.- If the cert matches then follow these steps to create a new one
- Delete it from both your Barbican and Keystone servers.
- Edit
/etc/keystone/ssl/certs/index.txt.attr
and set unique_subject to no.- Run
keystone-manage pki_setup
to create a newsigning_cert.pem
- The updated cert will be downloaded to your Barbican server the next time you hit the Barbican API.
- If the cert doesn’t match then delete the
signing_cert.pem
from your Barbican server. Do not delete from Keystone. The cert from Keystone will be downloaded to your machine the next time you hit the Barbican API.
curl -X POST \
-H "Content-type: application/json" -H "X-Auth-Token: $TOKEN" -d \
'{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://myhostname.com/v1/secrets
# Response:
{
"secret_ref": "http://localhost:9311/v1/secrets/UUID_HERE"
}
The default configuration on the response host name is not modified to the endpoint’s host name (typically the load balancer’s DNS name and port).
Change your barbican.conf
file’s host_href
setting from
localhost:9311
to the correct host name (myhostname.com in the example
above).
clang: error: unknown argument: '-mno-fused-madd'
There is a great blog article that provides more details on the error and how to work around it. This link provides more details on the error and how to work around it.
c/_cffi_backend.c:13:10: fatal error: 'ffi.h' file not found
...
ERROR: could not install deps [...]; v = InvocationError('...', 1)
Be sure that xcode and cmd line tools are up to date. Easiest way is to run
xcode-select --install
from an OS X command line. Be sure to say yes when
asked if you want to install the command line tools. Now
ls /usr/include/ffi/ffi.h
should show that missing file exists, and the tox
tests should run.
ImportError: No module named _bsddb
Running tests via tox (which uses testr) will create a .testrepository directory containing, among other things, data files. Those datafiles may be created with bsddb, if it is available in the environment. This can cause problems if you run in an environment that does not have bsddb. To resolve this, delete your .testrepository directory and run tox again.
...
spawned uWSGI master process (pid: 59190)
spawned uWSGI worker 1 (pid: 59191, cores: 1)
spawned uWSGI worker 1 (pid: 59192, cores: 1)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter \
0x7fd098c08520 pid: 59191 (default app)
OOPS ! failed loading app in worker 1 (pid 59192) :( trying again...
Respawned uWSGI worker 1 (new pid: 59193)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
OOPS ! failed loading app in worker 1 (pid 59193) :( trying again...
worker respawning too fast !!! i have to sleep a bit (2 seconds)...
...
Note
You will not see any useful logs or stack traces with this error!
The vassal (worker) processes are not able to access the datastore.
Check the sql_connection
in your barbican.conf
file, to make sure
that it references a valid reachable database.
...
File ".../oslo_config/cfg.py", line 1275, in register_cli_opt
raise ArgsAlreadyParsedError("cannot register CLI option")
ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
An attempt to call the olso.config’s register_cli_opt()
function after the
configuration arguments were ‘parsed’ (see the comments and method in
the oslo.config project’s cfg.py file for details.
Instead of calling import barbican.openstack.common.log as logging
to get a
logger, call from barbican.common import config
with this to get a logger
to use in your source file: LOG = config.getLogger(__name__)
.
...
2013-04-14 14:17:56 [FALCON] [ERROR] POST \
/da71dfbc-a959-4ad3-bdab-5ee190ce7515/csrs? => Responder raised \
TypeError: 'NoneType' object has no attribute '__getitem__'
Forgetting to set your non-nullable FKs in entities you create via
XxxxResource
classes.
Don’t forget to set any FKs defined on an entity prior to using the repository to create it.
ImportError: No module named site
¶...
uwsgi socket 0 bound to TCP address :9311 fd 3
Python version: 2.7.3 (...) [...]
Set PythonHome to ./.venv
ImportError: No module named site
Make sure the uWSGI config file at etc/barbican/barbican-api-paste.ini
is
configured correctly (see installation steps above), esp. if the virtualenv
folder is named differently than the .ini
file has.
{
"title": "Malformed JSON"
}
Barbican REST server cannot parse the incoming JSON message from your REST client.
Make sure you are submitting properly formed JSON. For example, are there commas after all but the last name/value pair in a list? Are there quotes around all name/values that are text-based? Are the types of values matching what is expected (i.e. integer and boolean types instead of quoted text)?
If you are using the Advanced REST Client with Chrome, and you tried to upload a file to the secrets PUT call, not only will this fail due to the multi-part format it uses, but it will also try to submit this file for every REST request you make thereafter, causing this error. Close the tab/window with the client, and restart it again.
A stack trace that has this in it (for example):
CryptoMimeTypeNotSupportedException: Crypto Mime Type of 'text/plain' not \
supported
The Barbican plugins are not installed into a place where the Python plugin manager can find them.
Make sure you run the pip install -e .
.
*** has_emperor mode detected (fd: 6) ***
...
!!! UNABLE to load uWSGI plugin: dlopen(./python_plugin.so, 10): image not \
found !!!
...
File "./site-packages/paste/deploy/loadwsgi.py", line 22, in import_string
return pkg_resources.EntryPoint.parse("x=" + s).load(False)
File "./site-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line \
2015, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
ImportError: No module named barbican.api.app
...
*** Starting uWSGI 1.9.13 (64bit) on [Fri Jul 5 09:59:29 2013] ***
The Barbican source modules are not found in the Python path of applications such as uwsgi.
Make sure you are running from your virtual env, and that pip was executed
after you activated your virtual environment. This especially includes the
pip install -e
command. Also, it is possible that your virtual env gets
corrupted, so you might need to rebuild it.
...
File "./site-packages/sqlalchemy/engine/strategies.py", line 80, in connect
return dialect.connect(*cargs, **cparams)
File "./site-packages/sqlalchemy/engine/default.py", line 283, in connect
return self.dbapi.connect(*cargs, **cparams)
OperationalError: (OperationalError) unable to open database file None None
[emperor] removed uwsgi instance barbican-api.ini
...
Destination folder for the sqlite database is not found, or is not writable.
Make sure the /var/lib/barbican/
folder exists and is writable by the user
that is running the Barbican API process.
...
2013-08-15 16:55:15.759 2445 DEBUG keystoneclient.middleware.auth_token \
[-] Token validation failure. _validate_user_token \
./site-packages/keystoneclient/middleware/auth_token.py:711
...
2013-08-15 16:55:15.759 2445 TRACE keystoneclient.middleware.auth_token \
raise ValueError("No JSON object could be decoded")
2013-08-15 16:55:15.759 24458 TRACE keystoneclient.middleware.auth_token \
ValueError: No JSON object could be decoded
...
2013-08-15 16:55:15.766 2445 WARNING keystoneclient.middleware.auth_token \
[-] Authorization failed for token ...
2013-08-15 16:55:15.766 2445 INFO keystoneclient.middleware.auth_token \
[-] Invalid user token - rejecting request...
The keystoneclient
middleware component is looking for a cms
command in
openssl
that wasn’t available before version 1.0.1
.
Update openssl.
Secret retrieval issue seen - accept-encoding of 'gzip,deflate,sdch' not \
supported
This might be an issue with the browser you are using, as performing the request via curl doesn’t seem to be affected.
Other than using an command such as curl to make the REST request you may not have many other options.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.