[one-users] econe-server with x509 fails to set HTTP_SSL_CLIENT_CERT

Daniel Molina dmolina at opennebula.org
Thu Jan 17 03:06:15 PST 2013


Hi Hyunwoo,

On 17 January 2013 05:38, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
> I first set ONE_AUTH to be ~/.one/one_x509 (created from my personal
> certificate)
> and then do,
> econe-upload  --url https://myone38sever file.img
>
> This fails with the error message;
> econe-upload:
>                 <Error>
>                     <Code>AuthFailure</Code>
>                     <Message>Could not create X509 certificate from
> </Message>
>                 </Error>
>
>
> I can find that this message originates from
> $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb
> because HTTP_SSL_CLIENT_CERT is not set(see below [1]).
>
> I also confirmed that Apache also fails to set it
> which means the client side, econe-upload command fails to send PEM string
> correctly,
>
> If you look at "upload_image method"  in
> $ONE_LOCATION/lib/ruby/cloud/econe/EC2QueryClient.rb,
> I guess one of the following lines fails;
>             str = AWS.canonical_string(params, @uri.host)
>             sig = AWS.encode(@access_key_secret, str, false)
>
>             if curb
>>                 post_fields << Curl::PostField.content("Signature",sig)
>                 post_fields << Curl::PostField.file("file",file_name)
>
>                 connection = Curl::Easy.new(@uri.to_s)
>                 connection.multipart_form_post = true
>                 connection.ssl_verify_peer = false
>                 connection.http_post(*post_fields)
>
>
> Could Open Nebula developers investigate this?
> (I am seeing the same error in both ON3.2 and ON3.8)
>
> Thanks very much.
>
> Hyunwoo Kim
> FermiCloud Project
>
> ================================
> [1] module X509CloudAuth
>     def do_auth(env, params={})
>         # For https, the web service should be set to include the user cert
> in the environment.
>         cert_line   = env['HTTP_SSL_CLIENT_CERT']
>         cert_line   = nil if cert_line == '(null)' # For Apache mod_ssl
>         chain_index = 0
>
>         # Use the https credentials for authentication
>         unless cert_line.nil?
>             begin
>                 m      = cert_line.match(/(-+BEGIN
> CERTIFICATE-+)([^-]*)(-+END CERTIFICATE-+)/)
>                 cert_s = "#{m[1]}#{m[2].gsub(' ',"\n")}#{m[3]}"
>                 cert   = OpenSSL::X509::Certificate.new(cert_s)
>             rescue
>                 raise "Could not create X509 certificate from " + cert_line
>             end
> ===================================
>

Currently econe tools do not support x509 client certificates. If you
want to use x509 authentication through EC2 you must use curl to
interact with the server. If you use this kind of authentication, the
EC2 Signature method will not be used anymore and you will have to
specify your certificate in the curl command.

For example if you want to list all your running instances:
$ curl "https://myone38sever?Action=DescribeInstances" --cert
/path/to/your/client/cert.pem

Please, also check that the headers module is enable in Apache and
your apache conf includes the following lines for the econe server:
      RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
      RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
      RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
      RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"


You may find this guide usefull. It shows how to enable x509 auth in Sunstone:
http://wiki.opennebula.org/sunstone_x509

Cheers

PS: Note that econe-upload is not an EC2 API method. We created this
method to be able to upload images to OpenNebula as an alternative to
S3 API.

-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula


More information about the Users mailing list