[one-users] econe-server with x509 and econe command

Hyun Woo Kim hyunwoo at fnal.gov
Fri Sep 14 21:40:26 PDT 2012 

Hi, 
Please ignore the previous question.
I have more understanding of econe- commands (at the moment I am using econe-upload)
and I am getting a new error.

When I do the following,
econe-upload --url https://example.com:8443 /path/name/image.img
(econe-server is running in the same host, example.com)

I am getting the following error messages,
/usr/lib/ruby/gems/1.8/gems/curb-0.8.1/lib/curl/easy.rb:60:
    in `perform': Curl::Err::SSLCACertificateError (Curl::Err::SSLCACertificateError)
from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `http_post'
from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `upload_image'
from /home/onemod/bin/econe-upload:119

My guess is that, econe-upload and Curl::Easy tries to verify the target(https://example.com)
and for that purpose, it needs to know the location of CA that signed example.com's host certificate.
In example.com, the CA certificate exists.

I even tried the followings;
1. modify EC2QueryClient.rb :
  - add connection.ssl_verify_host = 0
    below connection = Curl::Easy.new(@uri.to_s)
    (Curl::Easy	has ssl_verify_host= method)
2. or download cacert.pem from curl.haxx.se and modify EC2QueryClient.rb as
   connection.cacert = File.join("/path/name/", "cacert.pem")

All these fail..
What is wrong with my econe configuration?
How can I make econe-upload aware of the location of CA certificate?

My general configurations are as follows..

$ONE_LOCATION/etc/auth/x509_auth.conf has
:ca_dir: "/etc/grid-security/certificates"

$ONE_LOCATION/etc/auth/server_x509_auth.conf has
:srv_user: serveradmin
:one_cert: "/etc/grid-security/hostcert.pem"
:one_key: "/etc/grid-security/hostkey.pem"

Thanks in advance
Hyunwoo

________________________________________
From: users-bounces at lists.opennebula.org [users-bounces at lists.opennebula.org] on behalf of Hyun Woo Kim [hyunwoo at fnal.gov]
Sent: Friday, September 14, 2012 5:42 PM
To: Ruben S. Montero
Cc: users at lists.opennebula.org
Subject: Re: [one-users] econe-server with x509 and econe command

Hi,

Thanks very much for the response.

Our econe server is already configured to use SSL proxy.
We are using mod_gridsite.
This module works just fine with sunstone server.

My question can be rephrased as follows.

As you mentioned, HTTP_SSL_CLIENT_CERT is set during SSL handshake.
This I understand.

What I do not understand is, my client which is econe-upload does not specify
my certificate and private key like I use wget --certificate --private-key.
I tried econe-upload --access-key=mycertificate --secret-key=myprivatekey or so.

How can a SSL handshake take place between Apache and econe-upload
when econe-upload does not know my certificate and private key?

Thanks again.
Hyunwoo
________________________________
From: Ruben S. Montero [rsmontero at opennebula.org]
Sent: Friday, September 14, 2012 5:19 PM
To: Hyun Woo Kim
Cc: users at lists.opennebula.org
Subject: Re: [one-users] econe-server with x509 and econe command

Hi

The HTTP_SSL_CLIENT_CERT variable should be set by the Web server as a result of the SSL handshake. The econe server should be configured through a SSL proxy [1]

Cheers

ruben

[1] http://opennebula.org/documentation:rel3.6:ec2qcg#configuring_a_ssl_proxy

On Fri, Sep 14, 2012 at 10:41 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>> wrote:
Dear developers,

$ONE_LOCATION/etc/econe.conf  has
:auth: x509

I understand this eventually causes
do_auth in $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
to be invoked.

This code X509CloudAuth.rb has
        cert_line   = env['HTTP_SSL_CLIENT_CERT']
at the beginning,

but, it is empty.

For this test, I am using econe-upload command with the following options
econe-upload -M
--access-key  "my account name"
--secret-key   "the DN of my certificate"
--url https://hostname:8443 (this is our site-specific)
pathname to image file


I think this result (HTTP_SSL_CLIENT_CERT being empty) is natural
because the command econe-upload does not point to my actual certificate..

Could you please clarify on how to use x509 auth with econe?

Thank you in advance.
Hyunwoo



_______________________________________________
Users mailing list
Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org




--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org<http://www.OpenNebula.org> | rsmontero at opennebula.org<mailto:rsmontero at opennebula.org> | @OpenNebula

More information about the Users mailing list