[one-users] Problem with EC2 interface

Daniel Molina dmolina at opennebula.org
Tue Mar 5 02:27:47 PST 2013 

Hi,

On 1 March 2013 16:58, gmail <brunetti.riccardo at gmail.com> wrote:
> Dear opennebula users.
>
> I'm trying to setup a public cloud using OpenNebula and the EC2 interface.
>
> I configured the server side (/etc/one/econe.conf) using these parameters:
>
> :one_xmlrpc: http://localhost:2633/RPC2
> :host: <FQDN-of-the-OpenNebula-instance>
> :port: 4567
>
> :ssl_server: https://<FQDN-of-the-OpenNebula-instance>:443/ec2
> :auth: x509
>
> The :ssl_server is the URL of a proxy which forwards the requests
> according to this apache-ssl configuration:
>
> ...
> <Location />
>       RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>       RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
>       RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
>       RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
>       RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>
>       ProxyPass        http://<FQDN-of-the-OpenNebula-instance>:9869/
>       ProxyPassReverse  http://<FQDN-of-the-OpenNebula-instance>:9869/
> </Location>
>
> <Location /ec2>
>       RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>       RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
>       RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
>       RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
>       RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>
>       ProxyPass        http://<FQDN-of-the-OpenNebula-instance>:4567/
>       ProxyPassReverse  http://<FQDN-of-the-OpenNebula-instance>:4567/
> </Location>
> ...
>
> On client side I installed the OpenNebula EC2 API (econe....) and
> defined the following environment variables:
>
> EC2_URL=https://<FQDN-of-the-OpenNebula-instance>:443/ec2
> EC2_ACCESS_KEY=<username-of-a-user>
> EC2_SECRET_KEY=<DN-of-the-user-certificate>
>
> The user can login using his x509 certificate on sunstone, but when I
> try to execute the econe-... commands I get the following error:
>
> "econe-describe-images: SSL_connect returned=1 errno=0 state=SSLv3 read
> server session ticket A: sslv3 alert handshake failure"
>
> Everything works fine if I use the :auth: ec2 authentication using
> username/password and pointing to the econe-server URL without using the
> ssl proxy (http://<FQDN-of-the-OpenNebula-instance>:4567/)
>
> Can anybody give me some suggestion?

Currently, econe commands do not support x509 authentication.

In this thread [1] Hyunwoo faced the same problem, maybe he can share more info

[1] http://lists.opennebula.org/pipermail/users-opennebula.org/2013-January/021644.html

-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list