Re: [ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
Yes. You're right. Thank you. > "Please select method to obtain PEM encoded CA certificate" > > File means the PEM file not the jks file. The jks is created by > aaa-ldap-setup. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
On 09/27/2016 07:39 PM, aleksey.maksi...@it-kb.ru wrote: Hello oVirt guru's! I want to configure MS Active Directory authentication for oVirt web UI. I configured an External LDAP Provider in accordance with the instructions: Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem). Check file: $ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem /root/AD-LDAP-Files/end.pem: OK Then I create JKS (Java Key Store) file (as described in Link #2): # keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit Certificate was added to keystore Then I run ovirt-engine-extension-aaa-ldap-setup: # ovirt-engine-extension-aaa-ldap-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'] Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IPA 5 - Novell eDirectory RFC-2307 Schema 6 - OpenLDAP RFC-2307 Schema 7 - OpenLDAP Standard Schema 8 - Oracle Unified Directory RFC-2307 Schema 9 - RFC-2307 Schema (Generic) 10 - RHDS 11 - RHDS RFC-2307 Schema 12 - iPlanet Please select: 3 Please enter Active Directory Forest name: holding.com [ INFO ] Resolving Global Catalog SRV record for holding.com [ INFO ] Resolving LDAP SRV record for holding.com NOTE: It is highly recommended to use secure protocol to access the LDAP server. Protocol startTLS is the standard recommended method to do so. Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol. Use plain for test environments only. Please select protocol to use (startTLS, ldaps, plain) [startTLS]: Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File File path: /etc/ovirt-engine/aaa/myrootca.jks "Please select method to obtain PEM encoded CA certificate" File means the PEM file not the jks file. The jks is created by aaa-ldap-setup. [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988) Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log: ... 2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVEFile 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND File path: 2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE/etc/ovirt-engine/aaa/myrootca.jks 2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988) 2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late cacert, cacertfile, insecure = self._getCACert() File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert error=e, SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988) Tell me, please, what am I doing wrong. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users __
[ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
Hello oVirt guru's! I want to configure MS Active Directory authentication for oVirt web UI. I configured an External LDAP Provider in accordance with the instructions: Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem). Check file: $ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem /root/AD-LDAP-Files/end.pem: OK Then I create JKS (Java Key Store) file (as described in Link #2): # keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit Certificate was added to keystore Then I run ovirt-engine-extension-aaa-ldap-setup: # ovirt-engine-extension-aaa-ldap-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'] Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IPA 5 - Novell eDirectory RFC-2307 Schema 6 - OpenLDAP RFC-2307 Schema 7 - OpenLDAP Standard Schema 8 - Oracle Unified Directory RFC-2307 Schema 9 - RFC-2307 Schema (Generic) 10 - RHDS 11 - RHDS RFC-2307 Schema 12 - iPlanet Please select: 3 Please enter Active Directory Forest name: holding.com [ INFO ] Resolving Global Catalog SRV record for holding.com [ INFO ] Resolving LDAP SRV record for holding.com NOTE: It is highly recommended to use secure protocol to access the LDAP server. Protocol startTLS is the standard recommended method to do so. Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol. Use plain for test environments only. Please select protocol to use (startTLS, ldaps, plain) [startTLS]: Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File File path: /etc/ovirt-engine/aaa/myrootca.jks [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988) Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log: ... 2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVEFile 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND File path: 2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE/etc/ovirt-engine/aaa/myrootca.jks 2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988) 2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late cacert, cacertfile, insecure = self._getCACert() File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert error=e, SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988) Tell me, please, what am I doing wrong. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users