On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc
[cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None
Something must be different about our setups. This is where I started. In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401 The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem". I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node). Thanks, Bob