[one-users] econe-server with x509 and econe command

Ruben S. Montero rsmontero at opennebula.org
Thu Sep 20 02:57:45 PDT 2012 

Hi Hyunwoo

Thanks very much for looking into this. I've filled an issue[1] to include
that option as part of the CLI command.

Thanks again for your great feedback

Cheers

Ruben

http://dev.opennebula.org/issues/1485

On Mon, Sep 17, 2012 at 11:23 PM, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:

> Hi,
>
> I found out that modifying EC2QueryClient.rb to add
> connection.ssl_verify_peer = false
> relieves econe-upload of the error message(SSLCACertificateError.
>
> Thanks
> Hyunwoo
>
> On Sep 14, 2012, at 11:40 PM, Hyun Woo Kim wrote:
>
> > Hi,
> > Please ignore the previous question.
> > I have more understanding of econe- commands (at the moment I am using
> econe-upload)
> > and I am getting a new error.
> >
> > When I do the following,
> > econe-upload --url https://example.com:8443 /path/name/image.img
> > (econe-server is running in the same host, example.com)
> >
> > I am getting the following error messages,
> > /usr/lib/ruby/gems/1.8/gems/curb-0.8.1/lib/curl/easy.rb:60:
> >    in `perform': Curl::Err::SSLCACertificateError
> (Curl::Err::SSLCACertificateError)
> > from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in
> `http_post'
> > from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in
> `upload_image'
> > from /home/onemod/bin/econe-upload:119
> >
> > My guess is that, econe-upload and Curl::Easy tries to verify the target(
> https://example.com)
> > and for that purpose, it needs to know the location of CA that signed
> example.com's host certificate.
> > In example.com, the CA certificate exists.
> >
> > I even tried the followings;
> > 1. modify EC2QueryClient.rb :
> >  - add connection.ssl_verify_host = 0
> >    below connection = Curl::Easy.new(@uri.to_s)
> >    (Curl::Easy        has ssl_verify_host= method)
> > 2. or download cacert.pem from curl.haxx.se and modify
> EC2QueryClient.rb as
> >   connection.cacert = File.join("/path/name/", "cacert.pem")
> >
> > All these fail..
> > What is wrong with my econe configuration?
> > How can I make econe-upload aware of the location of CA certificate?
> >
> > My general configurations are as follows..
> >
> > $ONE_LOCATION/etc/auth/x509_auth.conf has
> > :ca_dir: "/etc/grid-security/certificates"
> >
> > $ONE_LOCATION/etc/auth/server_x509_auth.conf has
> > :srv_user: serveradmin
> > :one_cert: "/etc/grid-security/hostcert.pem"
> > :one_key: "/etc/grid-security/hostkey.pem"
> >
> > Thanks in advance
> > Hyunwoo
> >
> > ________________________________________
> > From: users-bounces at lists.opennebula.org [
> users-bounces at lists.opennebula.org] on behalf of Hyun Woo Kim [
> hyunwoo at fnal.gov]
> > Sent: Friday, September 14, 2012 5:42 PM
> > To: Ruben S. Montero
> > Cc: users at lists.opennebula.org
> > Subject: Re: [one-users] econe-server with x509 and econe command
> >
> > Hi,
> >
> > Thanks very much for the response.
> >
> > Our econe server is already configured to use SSL proxy.
> > We are using mod_gridsite.
> > This module works just fine with sunstone server.
> >
> > My question can be rephrased as follows.
> >
> > As you mentioned, HTTP_SSL_CLIENT_CERT is set during SSL handshake.
> > This I understand.
> >
> > What I do not understand is, my client which is econe-upload does not
> specify
> > my certificate and private key like I use wget --certificate
> --private-key.
> > I tried econe-upload --access-key=mycertificate
> --secret-key=myprivatekey or so.
> >
> > How can a SSL handshake take place between Apache and econe-upload
> > when econe-upload does not know my certificate and private key?
> >
> > Thanks again.
> > Hyunwoo
> > ________________________________
> > From: Ruben S. Montero [rsmontero at opennebula.org]
> > Sent: Friday, September 14, 2012 5:19 PM
> > To: Hyun Woo Kim
> > Cc: users at lists.opennebula.org
> > Subject: Re: [one-users] econe-server with x509 and econe command
> >
> > Hi
> >
> > The HTTP_SSL_CLIENT_CERT variable should be set by the Web server as a
> result of the SSL handshake. The econe server should be configured through
> a SSL proxy [1]
> >
> > Cheers
> >
> > ruben
> >
> > [1]
> http://opennebula.org/documentation:rel3.6:ec2qcg#configuring_a_ssl_proxy
> >
> > On Fri, Sep 14, 2012 at 10:41 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:
> hyunwoo at fnal.gov>> wrote:
> > Dear developers,
> >
> > $ONE_LOCATION/etc/econe.conf  has
> > :auth: x509
> >
> > I understand this eventually causes
> > do_auth in $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
> > to be invoked.
> >
> > This code X509CloudAuth.rb has
> >        cert_line   = env['HTTP_SSL_CLIENT_CERT']
> > at the beginning,
> >
> > but, it is empty.
> >
> > For this test, I am using econe-upload command with the following options
> > econe-upload -M
> > --access-key  "my account name"
> > --secret-key   "the DN of my certificate"
> > --url https://hostname:8443 (this is our site-specific)
> > pathname to image file
> >
> >
> > I think this result (HTTP_SSL_CLIENT_CERT being empty) is natural
> > because the command econe-upload does not point to my actual
> certificate..
> >
> > Could you please clarify on how to use x509 auth with econe?
> >
> > Thank you in advance.
> > Hyunwoo
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >
> >
> >
> >
> > --
> > Ruben S. Montero, PhD
> > Project co-Lead and Chief Architect
> > OpenNebula - The Open Source Solution for Data Center Virtualization
> > www.OpenNebula.org<http://www.OpenNebula.org> | rsmontero at opennebula.org
> <mailto:rsmontero at opennebula.org> | @OpenNebula
> > _______________________________________________
> > Users mailing list
> > Users at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120920/92dd5449/attachment-0002.htm>

More information about the Users mailing list