On 01/08/2014 04:21 PM, Joop wrote:
> Bob Doolittle wrote:
>>
>> On 01/08/2014 02:31 PM, Joop wrote:
>>> Bob Doolittle wrote:
>>>>
>>>> On 01/08/2014 02:17 PM, Joop wrote:
>>>>> Bob Doolittle wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I want to run ovirt-shell directly (as root) on the Engine.
>>>>>> Presumably all the files I need for CA, key, and cert are in the
>>>>>> /etc/pki area.
>>>>>>
>>>>>> But when I use the attached .ovirtshellrc file I get:
>>>>>>
>>>>>> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL
>>>>>> routines:SSL_CTX_use_PrivateKey_file:system lib
>>>>>>
>>>>>> How can I specify an appropriate configuration to get this
working?
>>>>>> I would prefer to keep using SSL if possible.
>>>>> Just guessing but I don't think that your fqdn is localhost in
>>>>> your certs. Use your fqdn for the url variable.
>>>>
>>>> Good thought. But now I am getting:
>>>>
>>>> error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL
>>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>>>
>>>> Some searching indicates that my keys and certs need to be in pem
>>>> format, so maybe I have to convert them before use? Any tips on
>>>> how to do that?
>>>>
>>> What happens if you leave out the ca_file/key_file/cert_file
>>> variables?
>>> I just played around with ovirt-shell and made a .ovirtshellrc
>>> file, on the engine, and don't remember setting these and I could
>>> login and run scripts
>>> Can't access my test environment right now so this is also a shot
>>> in the dark.
>>
>> That's what I tried first. I get:
>> error: server CA certificate file must be specified for SSL secured
>> connection.
>>
>> And if I don't specify https I get:
>> error: No response returned from server. If you're using HTTP protocol
>> against a SSL secured server, then try using HTTPS instead.
>>
> OK. Here is what I did:
> On ovirt-engine: wget
https://engine_fqdn/ca.crt --no-check-certificate
> and used the following .ovirtshellrc
>
> [cli]
> autoconnect = True
> autopage = True
> [ovirt-shell]
> username = admin@internal
> timeout = -1
> extended_prompt = False
> url =
https://engine_fqdn/api
> insecure = False
> filter = False
> session_timeout = -1
> ca_file = /root/ca.crt
> dont_validate_cert_chain = False
> key_file = None
> password = ******
> cert_file = None
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file
only, I get:
error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt"
whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area
(or, for that matter, in the /etc/pki/vdsm area on the node).