[one-users] econe-server with x509 fails to set HTTP_SSL_CLIENT_CERT

Hyun Woo Kim hyunwoo at fnal.gov
Wed Jan 16 20:38:05 PST 2013 

I first set ONE_AUTH to be ~/.one/one_x509 (created from my personal certificate)
and then do,
econe-upload  --url https://myone38sever file.img

This fails with the error message;
econe-upload:
                <Error>
                    <Code>AuthFailure</Code>
                    <Message>Could not create X509 certificate from </Message>
                </Error>


I can find that this message originates from
$ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
because HTTP_SSL_CLIENT_CERT is not set(see below [1]).

I also confirmed that Apache also fails to set it
which means the client side, econe-upload command fails to send PEM string correctly,

If you look at "upload_image method"  in $ONE_LOCATION/lib/ruby/cloud/econe/EC2QueryClient.rb,
I guess one of the following lines fails;
            str = AWS.canonical_string(params, @uri.host)
            sig = AWS.encode(@access_key_secret, str, false)

            if curb
                …
                post_fields << Curl::PostField.content("Signature",sig)
                post_fields << Curl::PostField.file("file",file_name)

                connection = Curl::Easy.new(@uri.to_s)
                connection.multipart_form_post = true
                connection.ssl_verify_peer = false
                connection.http_post(*post_fields)


Could Open Nebula developers investigate this?
(I am seeing the same error in both ON3.2 and ON3.8)

Thanks very much.

Hyunwoo Kim
FermiCloud Project

================================
[1] module X509CloudAuth
    def do_auth(env, params={})
        # For https, the web service should be set to include the user cert in the environment.
        cert_line   = env['HTTP_SSL_CLIENT_CERT']
        cert_line   = nil if cert_line == '(null)' # For Apache mod_ssl
        chain_index = 0

        # Use the https credentials for authentication
        unless cert_line.nil?
            begin
                m      = cert_line.match(/(-+BEGIN CERTIFICATE-+)([^-]*)(-+END CERTIFICATE-+)/)
                cert_s = "#{m[1]}#{m[2].gsub(' ',"\n")}#{m[3]}"
                cert   = OpenSSL::X509::Certificate.new(cert_s)
            rescue
                raise "Could not create X509 certificate from " + cert_line
            end
===================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130117/eb4eeede/attachment.htm>

More information about the Users mailing list