I would like to mix the authentication methods on Sunstone.

I created an X509 user[1] and the one* CLI are working with it.

According to the documentation[2], I need to switch Sunstone to “x509”,
but I thought that using “:auth: opennebula” permit to use whatever is
configured for the user.

I first try as explained in the documentation:

- set “:auth: x509” in sunstone

- install user certificate authority to “/etc/one/auth/certificates/”

- configure my nginx as describe in attachement

- install the user x509 certificate on my iceweasel 35.0.1 browser

When I access Sunstone, my browser ask me to choose my certificate but I
finish on login page with only a “Login” button plus the “Keep me logged
in” checkbox.

I should have miss some headers to add to my Requests.

Any hints?




Daniel Dehennin
Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF
Fingerprint: 3E69 014E 5C23 50E8 9ED6  2AAD CC1E 9E5B 7A6F E2DF

# Opennebula Sunstone
upstream sunstone {

upstream onerpc {

# Port 80 redirected to SSL
server {
        listen         80;
        server_name    nebula.example.net;

        location / {
                return 301 https://$host$request_uri?;

# SSL reverse-proxy
server {
        listen 443 default_server;
        listen [::]:443 default_server ipv6only=on;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        ssl_client_certificate /etc/nginx/ssl/ca.crt;
        ssl_verify_client optional;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name nebula.example.net;

        access_log  /var/log/nginx/opennebula-sunstone-access.log;
        error_log  /var/log/nginx/opennebula-sunstone-error.log;

        client_max_body_size 5G;

        location / {
                try_files $uri @sunstone;

        location /RPC2 {
                include proxy_params;
                proxy_pass http://onerpc;

        location @sunstone {
                include proxy_params;
                proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
                proxy_set_header SSL_CLIENT_I_DN $ssl_client_i_dn;
                proxy_set_header SSH_CLIENT_VERIFY $ssl_client_verify;
                proxy_set_header SSH_CLIENT_CERT $ssl_client_cert;
                include ssl_parms;
                proxy_pass http://sunstone;

Attachment: signature.asc
Description: PGP signature

Users mailing list

Reply via email to