On 11/26/2013 07:29 PM, Gianluca Cecchi wrote:
On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
this is client side certificate key, you should be using "ca_file" for the host CA.
Reading these documents:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal
It is not clear to me the correct combination/requirements on client side to be able to connect
ovirt-shell -h ============== -K KEY_FILE, --key-file=KEY_FILE specify client PEM key-file -C CERT_FILE, --cert-file=CERT_FILE specify client PEM cert-file -A CA_FILE, --ca-file=CA_FILE specify server CA cert-file [oVirt shell (disconnected)]# help connect ========================================= .... * [key-file] - The client PEM key file to use. * [cert-file] - The client PEM certificate file to use. * [ca-file] - The server CA certificate file to use. ... http://www.ovirt.org/CLI#Connect =============================== has very same description of certificates - so as you see doesn't matter what option you choose, it has clear distinction between client and server certificates, and obviously if you have CA certificate (called ca.crt) you should be using options called: "--cert-file", "-A CA_FILE/--ca-file=CA_FILE"
Suppose I keep empty (aka default values) the .ovirtshellrc file:
[cli] autoconnect = True autopage = True [ovirt-shell] username = timeout = None extended_prompt = False url = insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file =
And put all needed options into command line. The steps I understand I have to do are
1) curl -o ca.crt http://f18engine/ca.crt (that should be "server CA cert-file", correct?)
2) connect But with ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin@internal
I get error: _ssl.c:291: Both the key & certificate files must be specified
this is happens cause you have specified one of the client validation certificates and as error states, both --key-file + --cert-file should be supplied for client validation.
that I don't find any reference for in the docs... Probably it is my fault with poor certificates/CA knowledge, but I presume it should be simpler for a user that only wants to interface to oVirt CLI have a correct sequence of steps
Also, from http://www.ovirt.org/CLI#Usage (referred in /usr/share/doc/ovirt-engine-cli-3.3.0.5/README)
ovirt-shell --help should give the help
but this seems not to be true:
please read again the docs, they all have clear documentation where CA and where client side validation certificates.
$ ovirt-shell --help URL:
Gianluca
-- Michael Pasternak RedHat, ENG-Virtualization R&D