Hi Hyunwoo Thanks very much for looking into this. I've filled an issue[1] to include that option as part of the CLI command.
Thanks again for your great feedback Cheers Ruben http://dev.opennebula.org/issues/1485 On Mon, Sep 17, 2012 at 11:23 PM, Hyun Woo Kim <[email protected]> wrote: > Hi, > > I found out that modifying EC2QueryClient.rb to add > connection.ssl_verify_peer = false > relieves econe-upload of the error message(SSLCACertificateError. > > Thanks > Hyunwoo > > On Sep 14, 2012, at 11:40 PM, Hyun Woo Kim wrote: > > > Hi, > > Please ignore the previous question. > > I have more understanding of econe- commands (at the moment I am using > econe-upload) > > and I am getting a new error. > > > > When I do the following, > > econe-upload --url https://example.com:8443 /path/name/image.img > > (econe-server is running in the same host, example.com) > > > > I am getting the following error messages, > > /usr/lib/ruby/gems/1.8/gems/curb-0.8.1/lib/curl/easy.rb:60: > > in `perform': Curl::Err::SSLCACertificateError > (Curl::Err::SSLCACertificateError) > > from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in > `http_post' > > from /home/onemod/lib/ruby/cloud/econe/EC2QueryClient.rb:166:in > `upload_image' > > from /home/onemod/bin/econe-upload:119 > > > > My guess is that, econe-upload and Curl::Easy tries to verify the target( > https://example.com) > > and for that purpose, it needs to know the location of CA that signed > example.com's host certificate. > > In example.com, the CA certificate exists. > > > > I even tried the followings; > > 1. modify EC2QueryClient.rb : > > - add connection.ssl_verify_host = 0 > > below connection = Curl::Easy.new(@uri.to_s) > > (Curl::Easy has ssl_verify_host= method) > > 2. or download cacert.pem from curl.haxx.se and modify > EC2QueryClient.rb as > > connection.cacert = File.join("/path/name/", "cacert.pem") > > > > All these fail.. > > What is wrong with my econe configuration? > > How can I make econe-upload aware of the location of CA certificate? > > > > My general configurations are as follows.. > > > > $ONE_LOCATION/etc/auth/x509_auth.conf has > > :ca_dir: "/etc/grid-security/certificates" > > > > $ONE_LOCATION/etc/auth/server_x509_auth.conf has > > :srv_user: serveradmin > > :one_cert: "/etc/grid-security/hostcert.pem" > > :one_key: "/etc/grid-security/hostkey.pem" > > > > Thanks in advance > > Hyunwoo > > > > ________________________________________ > > From: [email protected] [ > [email protected]] on behalf of Hyun Woo Kim [ > [email protected]] > > Sent: Friday, September 14, 2012 5:42 PM > > To: Ruben S. Montero > > Cc: [email protected] > > Subject: Re: [one-users] econe-server with x509 and econe command > > > > Hi, > > > > Thanks very much for the response. > > > > Our econe server is already configured to use SSL proxy. > > We are using mod_gridsite. > > This module works just fine with sunstone server. > > > > My question can be rephrased as follows. > > > > As you mentioned, HTTP_SSL_CLIENT_CERT is set during SSL handshake. > > This I understand. > > > > What I do not understand is, my client which is econe-upload does not > specify > > my certificate and private key like I use wget --certificate > --private-key. > > I tried econe-upload --access-key=mycertificate > --secret-key=myprivatekey or so. > > > > How can a SSL handshake take place between Apache and econe-upload > > when econe-upload does not know my certificate and private key? > > > > Thanks again. > > Hyunwoo > > ________________________________ > > From: Ruben S. Montero [[email protected]] > > Sent: Friday, September 14, 2012 5:19 PM > > To: Hyun Woo Kim > > Cc: [email protected] > > Subject: Re: [one-users] econe-server with x509 and econe command > > > > Hi > > > > The HTTP_SSL_CLIENT_CERT variable should be set by the Web server as a > result of the SSL handshake. The econe server should be configured through > a SSL proxy [1] > > > > Cheers > > > > ruben > > > > [1] > http://opennebula.org/documentation:rel3.6:ec2qcg#configuring_a_ssl_proxy > > > > On Fri, Sep 14, 2012 at 10:41 PM, Hyun Woo Kim <[email protected]<mailto: > [email protected]>> wrote: > > Dear developers, > > > > $ONE_LOCATION/etc/econe.conf has > > :auth: x509 > > > > I understand this eventually causes > > do_auth in $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb > > to be invoked. > > > > This code X509CloudAuth.rb has > > cert_line = env['HTTP_SSL_CLIENT_CERT'] > > at the beginning, > > > > but, it is empty. > > > > For this test, I am using econe-upload command with the following options > > econe-upload -M > > --access-key "my account name" > > --secret-key "the DN of my certificate" > > --url https://hostname:8443 (this is our site-specific) > > pathname to image file > > > > > > I think this result (HTTP_SSL_CLIENT_CERT being empty) is natural > > because the command econe-upload does not point to my actual > certificate.. > > > > Could you please clarify on how to use x509 auth with econe? > > > > Thank you in advance. > > Hyunwoo > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected]<mailto:[email protected]> > > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > > > > > > > > > > -- > > Ruben S. Montero, PhD > > Project co-Lead and Chief Architect > > OpenNebula - The Open Source Solution for Data Center Virtualization > > www.OpenNebula.org<http://www.OpenNebula.org> | [email protected] > <mailto:[email protected]> | @OpenNebula > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > > -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
