Re: [Users] Specifying values for cert, key, and CA for ovirt-shell

Wed, 08 Jan 2014 13:22:50 -0800 

Bob Doolittle wrote:


On 01/08/2014 02:31 PM, Joop wrote:

Bob Doolittle wrote:


On 01/08/2014 02:17 PM, Joop wrote:

Bob Doolittle wrote:

Hi,


I want to run ovirt-shell directly (as root) on the Engine. 
Presumably all the files I need for CA, key, and cert are in the 
/etc/pki area.


But when I use the attached .ovirtshellrc file I get:


error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL 
routines:SSL_CTX_use_PrivateKey_file:system lib


How can I specify an appropriate configuration to get this working?
I would prefer to keep using SSL if possible.

Just guessing but I don't think that your fqdn is localhost in your 
certs. Use your fqdn for the url variable.


Good thought. But now I am getting:


error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL 
routines:SSL_CTX_use_PrivateKey_file:PEM lib



Some searching indicates that my keys and certs need to be in pem 
format, so maybe I have to convert them before use? Any tips on how 
to do that?



What happens if you leave out the ca_file/key_file/cert_file variables?

I just played around with ovirt-shell and made a .ovirtshellrc file, 
on the engine, and don't remember setting these and I could login and 
run scripts
Can't access my test environment right now so this is also a shot in 
the dark.


That's what I tried first. I get:

error: server CA certificate file must be specified for SSL secured 
connection.


And if I don't specify https I get:
error: No response returned from server. If you're using HTTP protocol
against a SSL secured server, then try using HTTPS instead.


OK. Here is what I did:
On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate
and used the following .ovirtshellrc

[cli]
autoconnect = True
autopage = True
[ovirt-shell]
username = admin@internal
timeout = -1
extended_prompt = False
url = https://engine_fqdn/api
insecure = False
filter = False
session_timeout = -1
ca_file = /root/ca.crt
dont_validate_cert_chain = False
key_file = None
password = ******
cert_file = None

Then I can do ovirt-shell and get a prompt that I'm connected.

Notice I only filled in ca_file and NOT key_file/cert_file. Setting 
insecure=True will also work and then you won't need ca.crt


Joop




_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users






















					Reply via email to