Skip to main content

Overview

This guide covers user-facing Key Manager issues. For platform-level issues such as backend connectivity failures or CA plugin errors, see the Admin Troubleshooting guide.

Common Issues

Secret creation returns 403 Forbidden

Cause: The current user’s role does not include the Key Manager creator policy.Diagnosis:
Check role assignments
openstack role assignment list --user $OS_USERNAME --project $OS_PROJECT_NAME
Resolution: Verify your project role assignment includes member or a custom role with Key Manager create permissions. Contact your administrator to assign the appropriate role.
Cause: The secret has an ACL that does not include your user, or the secret belongs to a different project.Diagnosis:
Show secret ACL
openstack acl get <secret-href>
Resolution: If your user is not listed and project access is disabled, request ACL modification from the secret owner or an administrator.
Get your user ID for ACL comparison
openstack token issue -c user_id -f value
Cause: The certificate container is missing the private key reference, the certificate is expired, or the certificate does not match the private key.Diagnosis:
Verify container contents
openstack secret container show <container-href>
Confirm both certificate and private_key references are present.
Check certificate expiry
openstack secret get <cert-href> --payload | \
  openssl x509 -noout -dates
Verify cert/key pair match
diff <(openstack secret get <cert-href> --payload | openssl x509 -noout -modulus | md5sum) \
     <(openstack secret get <key-href> --payload | openssl rsa -noout -modulus | md5sum)
Resolution:
  • If the container is missing the private key, delete and recreate it with both secrets
  • If the certificate is expired, store a renewed certificate and create a new container
  • If the cert/key pair do not match, verify you are using the correct private key file
Cause: The secret was created with an expiration date that has passed. Expired secrets are deleted automatically.Resolution: Create a new secret with the updated payload. If the secret is referenced by containers or services (e.g., Load Balancer), update each reference to point to the new secret or container.
Set calendar reminders for certificate and key expiration dates. Xloud Key Manager does not send expiration notifications — lifecycle management is the owner’s responsibility.
Cause: The CA plugin is unreachable, the subject DN contains invalid fields, or the requested algorithm is not supported by the configured CA.Diagnosis:
Show order error detail
openstack secret order show <order-href>
Review the error_status_code and error_reason fields.Resolution: Contact your platform administrator to verify CA plugin configuration and network connectivity. See the Admin Troubleshooting guide for CA plugin diagnostics.

Diagnostic Commands

openstack secret list

Next Steps

Admin Troubleshooting

Platform-level issues — backend failures, CA plugin errors, ACL propagation

ACL

Review and update access control lists on secrets

Certificates

Renew and replace expired certificates

Store Secrets

Create replacement secrets after expiration