Re: [Users] Specifying values for cert, key, and CA for ovirt-shell
On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
>
> On 01/08/2014 02:31 PM, Joop wrote:
>> Bob Doolittle wrote:
>>>
>>> On 01/08/2014 02:17 PM, Joop wrote:
>>>> Bob Doolittle wrote:
>>>>> Hi,
>>>>>
>>>>> I want to run ovirt-shell directly (as root) on the Engine.
>>>>> Presumably all the files I need for CA, key, and cert are in the
>>>>> /etc/pki area.
>>>>>
>>>>> But when I use the attached .ovirtshellrc file I get:
>>>>>
>>>>> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL
>>>>> routines:SSL_CTX_use_PrivateKey_file:system lib
>>>>>
>>>>> How can I specify an appropriate configuration to get this working?
>>>>> I would prefer to keep using SSL if possible.
>>>> Just guessing but I don't think that your fqdn is localhost in
>>>> your certs. Use your fqdn for the url variable.
>>>
>>> Good thought. But now I am getting:
>>>
>>> error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL
>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>>
>>> Some searching indicates that my keys and certs need to be in pem
>>> format, so maybe I have to convert them before use? Any tips on how
>>> to do that?
>>>
>> What happens if you leave out the ca_file/key_file/cert_file variables?
>> I just played around with ovirt-shell and made a .ovirtshellrc file,
>> on the engine, and don't remember setting these and I could login
>> and run scripts
>> Can't access my test environment right now so this is also a shot in
>> the dark.
>
> That's what I tried first. I get:
> error: server CA certificate file must be specified for SSL secured
> connection.
>
> And if I don't specify https I get:
> error: No response returned from server. If you're using HTTP protocol
> against a SSL secured server, then try using HTTPS instead.
>
OK. Here is what I did:
On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate
and used the following .ovirtshellrc
[cli]
autoconnect = True
autopage = True
[ovirt-shell]
username = admin@internal
timeout = -1
extended_prompt = False
url = https://engine_fqdn/api
insecure = False
filter = False
session_timeout = -1
ca_file = /root/ca.crt
dont_validate_cert_chain = False
key_file = None
password = ******
cert_file = None
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file
only, I get:
error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt"
whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area
(or, for that matter, in the /etc/pki/vdsm area on the node).
Thanks,
Bob