On 17 January 2013 12:23, Hyun Woo Kim <[email protected]> wrote: > Hi Daniel, > > Thanks very much for your message. >> $ curl "https://myone38sever?Action=DescribeInstances"; --cert cert.pem > I see. So, for each of 6(on3.2) or 21(one.3.8) econe commands, we will have > to set proper action > to Action= in the curl..
Note that you will have to define more parameters for example if you want to use the attach_volume method [1] you have to define the VolumeId, InstanceId and Device params.: $ curl "https://myone38sever?Action=AttachVolume&VolumeId=...."; --cert cert.pem Maybe you can modify the AWS::EC2::Base class to include the client certificate in the request, or monkey patch it to use curl to connect to the server. [1] Ruby def attach_volume(volume, instance, device) begin response = @ec2_connection.attach_volume( :volume_id => volume, :instance_id => instance, :device => device ) rescue Exception => e error = CloudClient::Error.new(e.message) return error end return response end > >> Please, also check that the headers module is enable in Apache and >> your apache conf includes the following lines for the econe server: > We have been using Apache and GridSite for a while in order to > enable use of certificates on the client site. > > Thanks again. > Hyunwoo > FermiCloud Project > > > ________________________________________ > From: Daniel Molina [[email protected]] > Sent: Thursday, January 17, 2013 5:06 AM > To: Hyun Woo Kim > Cc: [email protected] > Subject: Re: [one-users] econe-server with x509 fails to set > HTTP_SSL_CLIENT_CERT > > Hi Hyunwoo, > > On 17 January 2013 05:38, Hyun Woo Kim <[email protected]> wrote: >> I first set ONE_AUTH to be ~/.one/one_x509 (created from my personal >> certificate) >> and then do, >> econe-upload --url https://myone38sever file.img >> >> This fails with the error message; >> econe-upload: >> <Error> >> <Code>AuthFailure</Code> >> <Message>Could not create X509 certificate from >> </Message> >> </Error> >> >> >> I can find that this message originates from >> $ONE_LOCATION/lib/ruby/cloud/CloudAuth/X509CloudAuth.rb >> because HTTP_SSL_CLIENT_CERT is not set(see below [1]). >> >> I also confirmed that Apache also fails to set it >> which means the client side, econe-upload command fails to send PEM string >> correctly, >> >> If you look at "upload_image method" in >> $ONE_LOCATION/lib/ruby/cloud/econe/EC2QueryClient.rb, >> I guess one of the following lines fails; >> str = AWS.canonical_string(params, @uri.host) >> sig = AWS.encode(@access_key_secret, str, false) >> >> if curb >> … >> post_fields << Curl::PostField.content("Signature",sig) >> post_fields << Curl::PostField.file("file",file_name) >> >> connection = Curl::Easy.new(@uri.to_s) >> connection.multipart_form_post = true >> connection.ssl_verify_peer = false >> connection.http_post(*post_fields) >> >> >> Could Open Nebula developers investigate this? >> (I am seeing the same error in both ON3.2 and ON3.8) >> >> Thanks very much. >> >> Hyunwoo Kim >> FermiCloud Project >> >> ================================ >> [1] module X509CloudAuth >> def do_auth(env, params={}) >> # For https, the web service should be set to include the user cert >> in the environment. >> cert_line = env['HTTP_SSL_CLIENT_CERT'] >> cert_line = nil if cert_line == '(null)' # For Apache mod_ssl >> chain_index = 0 >> >> # Use the https credentials for authentication >> unless cert_line.nil? >> begin >> m = cert_line.match(/(-+BEGIN >> CERTIFICATE-+)([^-]*)(-+END CERTIFICATE-+)/) >> cert_s = "#{m[1]}#{m[2].gsub(' ',"\n")}#{m[3]}" >> cert = OpenSSL::X509::Certificate.new(cert_s) >> rescue >> raise "Could not create X509 certificate from " + cert_line >> end >> =================================== >> > > Currently econe tools do not support x509 client certificates. If you > want to use x509 authentication through EC2 you must use curl to > interact with the server. If you use this kind of authentication, the > EC2 Signature method will not be used anymore and you will have to > specify your certificate in the curl command. > > For example if you want to list all your running instances: > $ curl "https://myone38sever?Action=DescribeInstances"; --cert > /path/to/your/client/cert.pem > > Please, also check that the headers module is enable in Apache and > your apache conf includes the following lines for the econe server: > RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" > RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" > RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > > > You may find this guide usefull. It shows how to enable x509 auth in Sunstone: > http://wiki.opennebula.org/sunstone_x509 > > Cheers > > PS: Note that econe-upload is not an EC2 API method. We created this > method to be able to upload images to OpenNebula as an alternative to > S3 API. > > -- > Daniel Molina > Project Engineer > OpenNebula - The Open Source Solution for Data Center Virtualization > www.OpenNebula.org | [email protected] | @OpenNebula -- Daniel Molina Project Engineer OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
