On Fri, 16 Mar 2018 17:46:36 +0200
Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote:

> On 16/03/18 17:40, Kapetanakis Giannis wrote:
> > On 16/03/18 15:21, Dominik Holler wrote:  
> >> On Fri, 16 Mar 2018 12:46:13 +0200
> >> Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote:
> >>  
> >>> Hi,
> >>>
> >>> After upgrading to 4.2.1 I have problems with ovn provider.
> >>> I'm getting "Failed to synchronize networks of Provider
> >>> ovirt-provider-ovn."
> >>>
> >>> I use custom SSL certificate in apache and I guess this is the
> >>> reason.
> >>>
> >>> I've tried to update ovirt-provider-ovn.conf with
> >>> [OVIRT]
> >>> #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem
> >>> ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> >>>
> >>> but still no go  
> >   
> >>
> >> Would you share the lines in engine.log produced by clicking the
> >> "Test" button in the "Edit Provider" dialog?
> >> On Clicking the test button, are you asked about "Import provider
> >> certificate"?  
> 
> SORRY wrong provider.
> 
> It asks for the cert.
> Failed to communicate with the external provider, see log for
> additional details.
> 
> 2018-03-16 17:44:08,262+02 INFO
> [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand]
> (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] Running
> command: ImportProviderCertificateCommand internal: false. Entities
> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type:
> SystemAction group CREATE_STORAGE_POOL with role type ADMIN
> 2018-03-16 17:44:08,275+02 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] EVENT_ID:
> PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider
> ovirt-provider-ovn was imported. (User: admin@internal) 2018-03-16
> 17:44:08,302+02 INFO
> [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand]
> (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Running
> command: TestProviderConnectivityCommand internal: false. Entities
> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type:
> SystemAction group CREATE_STORAGE_POOL with role type ADMIN
> 2018-03-16 17:44:08,360+02 ERROR
> [org.ovirt.engine.core.bll.provider.network.openstack.BaseNetworkProviderProxy]
> (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Bad Gateway
> (OpenStack response error code: 502) 2018-03-16 17:44:08,360+02 ERROR
> [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand]
> (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Command
> 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand'
> failed: EngineException: (Failed with error PROVIDER_FAILURE and code
> 5050)
> 
> and in provider log:
> 
> 2018-03-16 17:45:33,961 requests.packages.urllib3.connectionpool
> Starting new HTTPS connection (1): engine-host 2018-03-16
> 17:45:33,961 requests.packages.urllib3.connectionpool Starting new
> HTTPS connection (1): engine-host 2018-03-16 17:45:33,966 root [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
> Traceback (most recent call last): File
> "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 131,
> in _handle_request method, path_parts, content) File
> "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line
> 175, in handle_request return self.call_response_handler(handler,
> content, parameters) File
> "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
> call_response_handler return response_handler(content, parameters)
> File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
> line 62, in post_tokens user_password=user_password) File
> "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in
> create_token return auth.core.plugin.create_token(user_at_domain,
> user_password) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line
> 48, in create_token timeout=self._timeout()) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
> in create_token username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 91, in _get_sso_token timeout=timeout File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
> in wrapper response = func(*args, **kwargs) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
> in wrapper raise BadGateway(e) BadGateway: [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
> 

Thanks. Yes, the ovirt-provider-ovn refuses to connect to ovirt-engine
for authentication because ovirt-provider-ovn does not trust the
ssl-certificate and propagates this as the BadGateway error.

Please not that engine-setup creates the file
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
which overwrites the default values from
/etc/ovirt-provider-ovn/ovirt-provider-ovn.conf

If you want to check if the referenced
/etc/pki/ovirt-engine/apache-ca.pem is correct, you can use the
following python snippet:

import requests
response = requests.get('https://ENGINE_FQDN/',
verify='/etc/pki/ovirt-engine/apache-ca.pem')
assert response.status_code == 200

Does this help to solve the issue?

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to