[one-users] Problem with EC2 interface

gmail brunetti.riccardo at gmail.com
Fri Mar 1 07:58:37 PST 2013 

Dear opennebula users.

I'm trying to setup a public cloud using OpenNebula and the EC2 interface.

I configured the server side (/etc/one/econe.conf) using these parameters:

:one_xmlrpc: http://localhost:2633/RPC2
:host: <FQDN-of-the-OpenNebula-instance>
:port: 4567

:ssl_server: https://<FQDN-of-the-OpenNebula-instance>:443/ec2
:auth: x509

The :ssl_server is the URL of a proxy which forwards the requests
according to this apache-ssl configuration:

...
<Location />
      RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
      RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
      RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
      RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

      ProxyPass        http://<FQDN-of-the-OpenNebula-instance>:9869/
      ProxyPassReverse  http://<FQDN-of-the-OpenNebula-instance>:9869/
</Location>

<Location /ec2>
      RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
      RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
      RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
      RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

      ProxyPass        http://<FQDN-of-the-OpenNebula-instance>:4567/
      ProxyPassReverse  http://<FQDN-of-the-OpenNebula-instance>:4567/
</Location>
...

On client side I installed the OpenNebula EC2 API (econe....) and
defined the following environment variables:

EC2_URL=https://<FQDN-of-the-OpenNebula-instance>:443/ec2
EC2_ACCESS_KEY=<username-of-a-user>
EC2_SECRET_KEY=<DN-of-the-user-certificate>

The user can login using his x509 certificate on sunstone, but when I
try to execute the econe-... commands I get the following error:

"econe-describe-images: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: sslv3 alert handshake failure"

Everything works fine if I use the :auth: ec2 authentication using
username/password and pointing to the econe-server URL without using the
ssl proxy (http://<FQDN-of-the-OpenNebula-instance>:4567/)

Can anybody give me some suggestion?
Thank you very much

Best Regards
Riccardo

More information about the Users mailing list