Hi, Please ignore the previous question. I have more understanding of econe- commands (at the moment I am using econe-upload) and I am getting a new error.
When I do the following, econe-upload --url https://example.com:8443 /path/name/image.img (econe-server is running in the same host, example.com) I am getting the following error messages, /usr/lib/ruby/gems/1.8/gems/curb-0.8.1/lib/curl/easy.rb:60: in `perform': Curl::Err::SSLCACertificateError (Curl::Err::SSLCACertificateError) from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `http_post' from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in `upload_image' from /home/onemod/bin/econe-upload:119 My guess is that, econe-upload and Curl::Easy tries to verify the target(https://example.com) and for that purpose, it needs to know the location of CA that signed example.com's host certificate. In example.com, the CA certificate exists. I even tried the followings; 1. modify EC2QueryClient.rb : - add connection.ssl_verify_host = 0 below connection = Curl::Easy.new(@uri.to_s) (Curl::Easy has ssl_verify_host= method) 2. or download cacert.pem from curl.haxx.se and modify EC2QueryClient.rb as connection.cacert = File.join("/path/name/", "cacert.pem") All these fail.. What is wrong with my econe configuration? How can I make econe-upload aware of the location of CA certificate? My general configurations are as follows.. $ONE_LOCATION/etc/auth/x509_auth.conf has :ca_dir: "/etc/grid-security/certificates" $ONE_LOCATION/etc/auth/server_x509_auth.conf has :srv_user: serveradmin :one_cert: "/etc/grid-security/hostcert.pem" :one_key: "/etc/grid-security/hostkey.pem" Thanks in advance Hyunwoo ________________________________________ From: [email protected] [[email protected]] on behalf of Hyun Woo Kim [[email protected]] Sent: Friday, September 14, 2012 5:42 PM To: Ruben S. Montero Cc: [email protected] Subject: Re: [one-users] econe-server with x509 and econe command Hi, Thanks very much for the response. Our econe server is already configured to use SSL proxy. We are using mod_gridsite. This module works just fine with sunstone server. My question can be rephrased as follows. As you mentioned, HTTP_SSL_CLIENT_CERT is set during SSL handshake. This I understand. What I do not understand is, my client which is econe-upload does not specify my certificate and private key like I use wget --certificate --private-key. I tried econe-upload --access-key=mycertificate --secret-key=myprivatekey or so. How can a SSL handshake take place between Apache and econe-upload when econe-upload does not know my certificate and private key? Thanks again. Hyunwoo ________________________________ From: Ruben S. Montero [[email protected]] Sent: Friday, September 14, 2012 5:19 PM To: Hyun Woo Kim Cc: [email protected] Subject: Re: [one-users] econe-server with x509 and econe command Hi The HTTP_SSL_CLIENT_CERT variable should be set by the Web server as a result of the SSL handshake. The econe server should be configured through a SSL proxy [1] Cheers ruben [1] http://opennebula.org/documentation:rel3.6:ec2qcg#configuring_a_ssl_proxy On Fri, Sep 14, 2012 at 10:41 PM, Hyun Woo Kim <[email protected]<mailto:[email protected]>> wrote: Dear developers, $ONE_LOCATION/etc/econe.conf has :auth: x509 I understand this eventually causes do_auth in $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb to be invoked. This code X509CloudAuth.rb has cert_line = env['HTTP_SSL_CLIENT_CERT'] at the beginning, but, it is empty. For this test, I am using econe-upload command with the following options econe-upload -M --access-key "my account name" --secret-key "the DN of my certificate" --url https://hostname:8443 (this is our site-specific) pathname to image file I think this result (HTTP_SSL_CLIENT_CERT being empty) is natural because the command econe-upload does not point to my actual certificate.. Could you please clarify on how to use x509 auth with econe? Thank you in advance. Hyunwoo _______________________________________________ Users mailing list [email protected]<mailto:[email protected]> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org<http://www.OpenNebula.org> | [email protected]<mailto:[email protected]> | @OpenNebula _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
