Dear Daniel.<div>Thank you very much for the hint.</div><div>I manage to execute a few commands (describe-instances, run-instance etc..) using curl as you suggested.</div><div><br></div><div>Best Regards,</div><div>Riccardo<br>
<br><div class="gmail_quote">2013/3/5 Daniel Molina <span dir="ltr"><<a href="mailto:dmolina@opennebula.org" target="_blank">dmolina@opennebula.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<div><div class="h5"><br>
On 1 March 2013 16:58, gmail <<a href="mailto:brunetti.riccardo@gmail.com">brunetti.riccardo@gmail.com</a>> wrote:<br>
> Dear opennebula users.<br>
><br>
> I'm trying to setup a public cloud using OpenNebula and the EC2 interface.<br>
><br>
> I configured the server side (/etc/one/econe.conf) using these parameters:<br>
><br>
> :one_xmlrpc: <a href="http://localhost:2633/RPC2" target="_blank">http://localhost:2633/RPC2</a><br>
> :host: <FQDN-of-the-OpenNebula-instance><br>
> :port: 4567<br>
><br>
> :ssl_server: https://<FQDN-of-the-OpenNebula-instance>:443/ec2<br>
> :auth: x509<br>
><br>
> The :ssl_server is the URL of a proxy which forwards the requests<br>
> according to this apache-ssl configuration:<br>
><br>
> ...<br>
> <Location /><br>
> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"<br>
> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"<br>
> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"<br>
> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"<br>
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"<br>
><br>
> ProxyPass http://<FQDN-of-the-OpenNebula-instance>:9869/<br>
> ProxyPassReverse http://<FQDN-of-the-OpenNebula-instance>:9869/<br>
> </Location><br>
><br>
> <Location /ec2><br>
> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"<br>
> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"<br>
> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"<br>
> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"<br>
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"<br>
><br>
> ProxyPass http://<FQDN-of-the-OpenNebula-instance>:4567/<br>
> ProxyPassReverse http://<FQDN-of-the-OpenNebula-instance>:4567/<br>
> </Location><br>
> ...<br>
><br>
> On client side I installed the OpenNebula EC2 API (econe....) and<br>
> defined the following environment variables:<br>
><br>
> EC2_URL=https://<FQDN-of-the-OpenNebula-instance>:443/ec2<br>
> EC2_ACCESS_KEY=<username-of-a-user><br>
> EC2_SECRET_KEY=<DN-of-the-user-certificate><br>
><br>
> The user can login using his x509 certificate on sunstone, but when I<br>
> try to execute the econe-... commands I get the following error:<br>
><br>
> "econe-describe-images: SSL_connect returned=1 errno=0 state=SSLv3 read<br>
> server session ticket A: sslv3 alert handshake failure"<br>
><br>
> Everything works fine if I use the :auth: ec2 authentication using<br>
> username/password and pointing to the econe-server URL without using the<br>
> ssl proxy (http://<FQDN-of-the-OpenNebula-instance>:4567/)<br>
><br>
> Can anybody give me some suggestion?<br>
<br>
</div></div>Currently, econe commands do not support x509 authentication.<br>
<br>
In this thread [1] Hyunwoo faced the same problem, maybe he can share more info<br>
<br>
[1] <a href="http://lists.opennebula.org/pipermail/users-opennebula.org/2013-January/021644.html" target="_blank">http://lists.opennebula.org/pipermail/users-opennebula.org/2013-January/021644.html</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Daniel Molina<br>
Project Engineer<br>
OpenNebula - The Open Source Solution for Data Center Virtualization<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:dmolina@opennebula.org">dmolina@opennebula.org</a> | @OpenNebula<br>
</font></span></blockquote></div><br></div>