Something strange happens..

What changes i do. I change Engine SSL using this 
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html 
<https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html> manual

I'm don’t checked how work OVN before changes. Of course i modiied  
'/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf'  because i 
changed engine certificate. 

What i see today:

2019-10-02 13:02:47,854 root From: ::ffff:172.19.0.10:60482 Request: GET /v2.0/
2019-10-02 13:02:47,854 root [('SSL routines', 'ssl3_get_server_certificate', 
'certificate verify failed')]
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in 
_handle_request
    method, path_parts, content
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, 
in handle_request
    return self.call_response_handler(handler, content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 35, in 
call_response_handler
    with NeutronApi() as ovn_north:
  File "/usr/share/ovirt-provider-ovn/neutron/neutron_api.py", line 77, in 
__init__
    self.ovsidl, self.idl = ovn_connection.connect()
  File "/usr/share/ovirt-provider-ovn/ovn_connection.py", line 43, in connect
    ovnconst.OVN_NORTHBOUND
  File 
"/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/connection.py", line 
127, in from_server
    helper = idlutils.get_schema_helper(connection_string, schema_name)
  File "/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/idlutils.py", 
line 118, in get_schema_helper
    stream.Stream.open(connection))
  File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 226, in 
open_block
    error = stream.connect()
  File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802, in connect
    self.socket.do_handshake()
  File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716, in 
do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456, in 
_raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in 
exception_from_error_queue
    raise exception_type(errors)
Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify 
failed')]

My config:

# This file is automatically generated by engine-setup. Please do not edit 
manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641

[SSL]
https-enabled=true
#ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
#ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
#ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass

ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass


[OVIRT]
ovirt-host=https://engine.set.local:443
ovirt-base=/ovirt-engine
ovirt-auth-timeout=110
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-sso-client-secret=PzrrA0GBGwBzlKcf2s3j6PZK1BONTQG6FR6UxPWNqYY
#ovirt-sso-client-secret=HO0GftT4aT1SvuDZhqB0NInAeHr5OsNu
ovirt-admin-user-name=admin@internal
ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem

[NETWORK]
port-security-enabled-default=True

[PROVIDER]
provider-host=engine.set.local


Now try '--reconfigure-optional-components' of engine-setup.



> 2 окт. 2019 г., в 10:11, Dominik Holler <dhol...@redhat.com> написал(а):
> 
> 
> 
> On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <m...@set-pro.net 
> <mailto:m...@set-pro.net>> wrote:
> Few hours later i'm fixed SSL error,
> 
> Would you share how you fixed the error?
> This might also help to understand the next issue.
> 
>  
> but get a new error
> 
> 2019-10-02 01:02:38,369 root Starting server
> 2019-10-02 01:02:38,369 root Version: 1.2.22-1
> 2019-10-02 01:02:38,369 root Build date: 20190509114402
> 2019-10-02 01:02:38,369 root Githash: 38acbde
> 2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 
> <http://172.19.0.10:33644/> Request: POST /v2.0/tokens
> 2019-10-02 01:02:46,471 root Request body:
> {"auth": {"passwordCredentials": {"username": "admin@internal", "password": 
> "<PASSWORD_HIDDEN>"}}}
> 2019-10-02 01:02:46,472 root Error during SSO authentication invalid_request 
> : Missing parameter: 'client_secret'
> Traceback (most recent call last):
>   File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in 
> _handle_request
>     method, path_parts, content
>   File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 
> 175, in handle_request
>     return self.call_response_handler(handler, content, parameters)
>   File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in 
> call_response_handler
>     return response_handler(content, parameters)
>   File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 
> 69, in post_tokens
>     if not auth.validate_token(token):
>   File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in 
> validate_token
>     return auth.core.plugin.validate_token(token)
>   File 
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>  line 36, in validate_token
>     return self._is_user_name(token, _admin_user_name())
>   File 
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>  line 47, in _is_user_name
>     timeout=AuthorizationByUserName._timeout())
>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 131, 
> in get_token_info
>     timeout=timeout
>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in 
> wrapper
>     _check_for_error(response)
>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, 
> in _check_for_error
>     result['error'], details))
> Unauthorized: Error during SSO authentication invalid_request : Missing 
> parameter: 'client_secret'
> 
> 
> 
> 
> looks like the 
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> does not fit to engine's db.
> 
> Maybe most easy would be to move the current
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the configuration by 
> using the
> parameter '--reconfigure-optional-components' of engine-setup.
> 
> Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf 
> modified outside engine-setup?
>  
>> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <m...@set-pro.net 
>> <mailto:m...@set-pro.net>> написал(а):
>> 
>> Hello!
>> Get problems with clean installation  4.3.6.6-1.el7 and OVN
>> 
>> When i try to test OVN get notification:
>> «Import provider certificate»
>>  Do you approve trusting self signed certificate subject CN=Certificate 
>> Authority, O=SET.LOCAL, SHA-1 fingerprint 
>> a9d9b91160bb306667a521e6f2c66037ddc437cb?
>> 
>>  When i’m press «Yes», see old problem:
>> Failed to communicate with the external provider, see log for additional 
>> details.
>> 
>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log 
>>     timeout=self._timeout())
>>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, 
>> in create_token
>>     username, password, engine_url, ca_file, timeout)
>>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, 
>> in _get_sso_token
>>     timeout=timeout
>>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, 
>> in wrapper
>>     response = func(*args, **kwargs)
>>   File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, 
>> in wrapper
>>     raise BadGateway(e)
>> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
>> (_ssl.c:618)
>> 
>> [root@engine ~]# cat 
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> # This file is automatically generated by engine-setup. Please do not edit 
>> manually
>> [OVN REMOTE]
>> ovn-remote=ssl:127.0.0.1:6641 <http://127.0.0.1:6641/>
>> [SSL]
>> https-enabled=true
>> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
>> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
>> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
>> [OVIRT]
>> ovirt-sso-client-id=ovirt-provider-ovn
>> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
>> ovirt-host=https://engine.set.local:443/ovirt-engine/ 
>> <https://engine.set.local/ovirt-engine/>
>> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
>> [NETWORK]
>> port-security-enabled-default=True
>> [PROVIDER]
>> provider-host=engine.set.local
>> 
>> [root@engine ~]# python -c "import requests; \
>> print requests.get('https://engine.set.local <https://engine.set.local/>', \
>> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
>> <Response [200]>
>> 
>> What’s wrong ?
> 
> _______________________________________________
> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
> To unsubscribe send an email to users-le...@ovirt.org 
> <mailto:users-le...@ovirt.org>
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ 
> <https://www.ovirt.org/site/privacy-policy/>
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/ 
> <https://www.ovirt.org/community/about/community-guidelines/>
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLRQVC2EFLSCN3MKYDEPZIRZ/
>  
> <https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLRQVC2EFLSCN3MKYDEPZIRZ/>
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LSSTCJK4BK5JGBGPOKZZP77DIUGIPNBK/

Reply via email to