Thanks a lot! That did the trick!
It works! THANKS! -----Ursprüngliche Nachricht----- An:Georg <[email protected]>; CC:[email protected]; Von:Héctor Sanjuán <[email protected]> Gesendet:Mo 21.11.2011 13:04 Betreff:Re: AW: [one-users] Problem with Sunstone and x509 Auth Ah, sorry, I just realized that basicly this is the one that you need: RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" Can you trying adding it as well? Héctor Sanjuán OpenNebula Developer On 21/11/11 12:47, Georg wrote: > > First of all thank you! > > > > I'm afraid the error stays the same. > > The config now looks like this: > > > > <VirtualHost *:443> > DocumentRoot /var/www > SSLEngine On > SSLCertificateFile /etc/apache2/sslzert.pem > SSLVerifyClient require > SSLVerifyDepth 2 > SSLCACertificateFile /srv/cloud/one/certs/cacert.pem > SSLOptions +StdEnvVars +ExportCertData > > ProxyRequests Off > > <Proxy *> > Order deny,allow > Allow from all > </Proxy> > > # initialize the special headers to a blank value to avoid http header > forgeries > RequestHeader set SSL_CLIENT_S_DN "" > RequestHeader set SSL_CLIENT_I_DN "" > RequestHeader set SSL_SERVER_S_DN_OU "" > RequestHeader set SSL_CLIENT_VERIFY "" > > # add all the SSL_* you need in the internal web application > RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" > RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" > RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" > > ProxyPass /admin/ http://localhost:9869/ > ProxyPassReverse /admin/ http://localhost:9869/ > </VirtualHost> > > > the certificate dn's are following: > > > > the oneadmin dn: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > e8:62:52:9a:61:bc:d2:a7 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=master > Validity > Not Before: Nov 13 08:39:13 2011 GMT > Not After : Nov 12 08:39:13 2012 GMT > Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, > CN=oneadmin > > > > > oneuser output: > > ID GROUP NAME > PASSWORD > 0 oneadmin oneadmin > /C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=one > > > > > and the full cn from the users table in the mysql backend > > > > <USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>/C=AU/ST=Some-State/O=InternetWidgitsPtyLtd/CN=oneadmin</PASSWORD><ENABLED>1</ENABLED></USER> > > > > > > > > -----Ursprüngliche Nachricht----- > *An:* Georg <[email protected]>; > *CC:* [email protected]; > *Von:* Héctor Sanjuán <[email protected]> > *Gesendet:* Mo 21.11.2011 12:35 > *Betreff:* Re: [one-users] Problem with Sunstone and x509 Auth > Hello, > > It may be that ssl headers are not being forwarded. Try this to set the > ssl headers on your virtual host file: > > ------------------------------------------------ > # initialize the special headers to a blank value to avoid http header > forgeries > RequestHeader set SSL_CLIENT_S_DN "" > RequestHeader set SSL_CLIENT_I_DN "" > RequestHeader set SSL_SERVER_S_DN_OU "" > RequestHeader set SSL_CLIENT_VERIFY "" > > # add all the SSL_* you need in the internal web application > RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" > RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" > RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s > > --------------------------------------------------- > > Right before the proxy pass directives: > > ProxyPass /admin/ http://localhost:9869/ > ProxyPassReverse /admin/ http://localhost:9869/ > > > Hope it helps and let us know if it works, > > Héctor Sanjuán > OpenNebula Developer > > On 21/11/11 12:15, Georg wrote: > > Hey! > > > > I'm trying to get sunstone to work with x509 certificates but fail > miserably > > > > My configuration looks as follows: > > > > > > > > Opennebula Version 3.0.0 compiled from source > > > > > > > > Opennebula with passwords works as a charm and also with x509 on > the CLI > > > > > > > > What i'm trying to achieve is logging in from sunstone but i get a " > > > > OpenNebula is not running" message. > > > > I already searched the newslist a bit and found a more detailed > error after > > > > using that fix > > http://www.mail-archive.com/[email protected]/msg04410.html > > > > > > > > > > > > The Error message is: > > > > Authentication failed. Username not found in certificate chain > > > > > > > > > > > > > > > > I already checked the config for mistakes but because it's working on > > the CLI i don't think there's anything wrong with the certificates. > > > > > > > > The sunstone configuration looks as following: > > > > > > > > ====================================== > > > > # OpenNebula sever contact information > > :one_xmlrpc: http://localhost:2633/RPC2 > > > > # Server Configuration > > :host: 127.0.0.1 > > :port: 9869 > > > > #:auth: basic > > :auth: x509 > > > > # VNC Configuration > > :vnc_proxy_base_port: 29876 > > :novnc_path: /srv/cloud/one/share/noVNC > > > > > > > > ====================================== > > > > > > > > > > > > For a secure web connection i use apache as proxy having following > config > > > > > > > > > > > > ====================================== > > > > > > > > <VirtualHost *:443> > > DocumentRoot /var/www > > SSLEngine On > > SSLCertificateFile /etc/apache2/sslzert.pem > > SSLVerifyClient require > > SSLVerifyDepth 2 > > SSLCACertificateFile /srv/cloud/one/certs/cacert.pem > > SSLOptions +StdEnvVars +ExportCertData > > > > > > > > > > ProxyRequests Off > > > > <Proxy *> > > Order deny,allow > > Allow from all > > </Proxy> > > > > ProxyPass /admin/ http://localhost:9869/ > > ProxyPassReverse /admin/ http://localhost:9869/ > > </VirtualHost> > > > > > > > > > > > > My assumption is that there's something wrong with the apache/sunstone > > configuration, but i'm stuck at the moment > > > > > > > > Any help would be aprecciated =) > > > > > > > > Have a nice Day! > > > > Georg > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
