[one-users] econe-server with x509 and econe command

Hyun Woo Kim hyunwoo at fnal.gov
Thu Sep 20 04:56:51 PDT 2012 

Hi Ruben,

We are glad we could contribute to OpenNebula.

Thank you.
Hyunwoo
FermiCloud

PS. BTW, the link below (...issues/1485) seems to point to a different thread..

________________________________________
From: Ruben S. Montero [rsmontero at opennebula.org]
Sent: Thursday, September 20, 2012 4:57 AM
To: Hyun Woo Kim
Cc: users at lists.opennebula.org
Subject: Re: [one-users] econe-server with x509 and econe command

Hi Hyunwoo

Thanks very much for looking into this. I've filled an issue[1] to include that option as part of the CLI command.

Thanks again for your great feedback

Cheers

Ruben

http://dev.opennebula.org/issues/1485

On Mon, Sep 17, 2012 at 11:23 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>> wrote:
Hi,

I found out that modifying EC2QueryClient.rb to add
connection.ssl_verify_peer = false
relieves econe-upload of the error message(SSLCACertificateError.

Thanks
Hyunwoo

On Sep 14, 2012, at 11:40 PM, Hyun Woo Kim wrote:

> Hi,
> Please ignore the previous question.
> I have more understanding of econe- commands (at the moment I am using econe-upload)
> and I am getting a new error.
>
> When I do the following,
> econe-upload --url https://example.com:8443 /path/name/image.img
> (econe-server is running in the same host, example.com<http://example.com>)
>
> I am getting the following error messages,
> /usr/lib/ruby/gems/1.8/gems/curb-0.8.1/lib/curl/easy.rb:60:
>    in `perform': Curl::Err::SSLCACertificateError (Curl::Err::SSLCACertificateError)
> from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `http_post'
> from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `upload_image'
> from /home/onemod/bin/econe-upload:119
>
> My guess is that, econe-upload and Curl::Easy tries to verify the target(https://example.com)
> and for that purpose, it needs to know the location of CA that signed example.com<http://example.com>'s host certificate.
> In example.com<http://example.com>, the CA certificate exists.
>
> I even tried the followings;
> 1. modify EC2QueryClient.rb :
>  - add connection.ssl_verify_host = 0
>    below connection = Curl::Easy.new(@uri.to_s)
>    (Curl::Easy        has ssl_verify_host= method)
> 2. or download cacert.pem from curl.haxx.se<http://curl.haxx.se> and modify EC2QueryClient.rb as
>   connection.cacert = File.join("/path/name/", "cacert.pem")
>
> All these fail..
> What is wrong with my econe configuration?
> How can I make econe-upload aware of the location of CA certificate?
>
> My general configurations are as follows..
>
> $ONE_LOCATION/etc/auth/x509_auth.conf has
> :ca_dir: "/etc/grid-security/certificates"
>
> $ONE_LOCATION/etc/auth/server_x509_auth.conf has
> :srv_user: serveradmin
> :one_cert: "/etc/grid-security/hostcert.pem"
> :one_key: "/etc/grid-security/hostkey.pem"
>
> Thanks in advance
> Hyunwoo
>
> ________________________________________
> From: users-bounces at lists.opennebula.org<mailto:users-bounces at lists.opennebula.org> [users-bounces at lists.opennebula.org<mailto:users-bounces at lists.opennebula.org>] on behalf of Hyun Woo Kim [hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>]
> Sent: Friday, September 14, 2012 5:42 PM
> To: Ruben S. Montero
> Cc: users at lists.opennebula.org<mailto:users at lists.opennebula.org>
> Subject: Re: [one-users] econe-server with x509 and econe command
>
> Hi,
>
> Thanks very much for the response.
>
> Our econe server is already configured to use SSL proxy.
> We are using mod_gridsite.
> This module works just fine with sunstone server.
>
> My question can be rephrased as follows.
>
> As you mentioned, HTTP_SSL_CLIENT_CERT is set during SSL handshake.
> This I understand.
>
> What I do not understand is, my client which is econe-upload does not specify
> my certificate and private key like I use wget --certificate --private-key.
> I tried econe-upload --access-key=mycertificate --secret-key=myprivatekey or so.
>
> How can a SSL handshake take place between Apache and econe-upload
> when econe-upload does not know my certificate and private key?
>
> Thanks again.
> Hyunwoo
> ________________________________
> From: Ruben S. Montero [rsmontero at opennebula.org<mailto:rsmontero at opennebula.org>]
> Sent: Friday, September 14, 2012 5:19 PM
> To: Hyun Woo Kim
> Cc: users at lists.opennebula.org<mailto:users at lists.opennebula.org>
> Subject: Re: [one-users] econe-server with x509 and econe command
>
> Hi
>
> The HTTP_SSL_CLIENT_CERT variable should be set by the Web server as a result of the SSL handshake. The econe server should be configured through a SSL proxy [1]
>
> Cheers
>
> ruben
>
> [1] http://opennebula.org/documentation:rel3.6:ec2qcg#configuring_a_ssl_proxy
>
> On Fri, Sep 14, 2012 at 10:41 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov><mailto:hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>>> wrote:
> Dear developers,
>
> $ONE_LOCATION/etc/econe.conf  has
> :auth: x509
>
> I understand this eventually causes
> do_auth in $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
> to be invoked.
>
> This code X509CloudAuth.rb has
>        cert_line   = env['HTTP_SSL_CLIENT_CERT']
> at the beginning,
>
> but, it is empty.
>
> For this test, I am using econe-upload command with the following options
> econe-upload -M
> --access-key  "my account name"
> --secret-key   "the DN of my certificate"
> --url https://hostname:8443 (this is our site-specific)
> pathname to image file
>
>
> I think this result (HTTP_SSL_CLIENT_CERT being empty) is natural
> because the command econe-upload does not point to my actual certificate..
>
> Could you please clarify on how to use x509 auth with econe?
>
> Thank you in advance.
> Hyunwoo
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org<mailto:Users at lists.opennebula.org><mailto:Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org<http://www.OpenNebula.org><http://www.OpenNebula.org> | rsmontero at opennebula.org<mailto:rsmontero at opennebula.org><mailto:rsmontero at opennebula.org<mailto:rsmontero at opennebula.org>> | @OpenNebula
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org




--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org<http://www.OpenNebula.org> | rsmontero at opennebula.org<mailto:rsmontero at opennebula.org> | @OpenNebula

More information about the Users mailing list