Re: [openstack-dev] [magnum] k8s api tls_enabled mode testing

Sun, 25 Oct 2015 21:18:07 -0700 

Hi, Eli Qiao

If ca or client certs is wrong, I think client will get error before `client 
hello`.
I tested broken ca cert and client cert in my local environment.
See below logs.

yuanying@devstack:~/temp$ curl https://192.168.19.92:6443 --tlsv1.0 -v  --key 
./client.key --cert ./client.crt --cacert ./ca.crt
* Rebuilt URL to: https://192.168.19.92:6443/
* Hostname was NOT found in DNS cache
*   Trying 192.168.19.92...
* Connected to 192.168.19.92 (192.168.19.92) port 6443 (#0)
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)



--  
OTSUKA, Motohiro
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


On Wednesday, October 21, 2015 at 20:34, Qiao, Liyong wrote:

> Hello,
> I need your help on k8s api tls_enabled mode.
> Here’s my patch https://review.openstack.org/232421
>   
> It is always failed on gate, but it works in my setup.
> Debug more I found that the ca cert return api return length with difference:
>   
> On my setup:
> 10.238.157.49 - - [21/Oct/2015 19:16:17] "POST /v1/certificates HTTP/1.1" 201 
> 3360
> …
> 10.238.157.49 - - [21/Oct/2015 19:16:17] "GET 
> /v1/certificates/d4bf6135-a3d0-4980-a785-e3f2900ca315 HTTP/1.1" 200 1357
>   
> On gate:
>   
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "POST /v1/certificates HTTP/1.1" 201 3352
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "GET 
> /v1/certificates/a9aa1bbd-d624-4791-a4b9-e7a076c8bf58 HTTP/1.1" 200 1349
>   
> Misses 8 Bit.
>   
> I also print out the cert file content, but the length of both on gate and my 
> setup are same.
> But failed on gate due to SSL exception.
> Does anyone know what will be the root cause?
>   
>   
>   
> BR, Eli(Li Yong)Qiao
>   
>  
>  
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe 
> (mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>  
>  



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to