Something strange happens..
What changes i do. I change Engine SSL using this
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
<
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html> manual
I'm don’t checked how work OVN before changes. Of course i modiied
'/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf' because i
changed engine certificate.
What i see today:
2019-10-02 13:02:47,854 root From: ::ffff:172.19.0.10:60482 Request: GET /v2.0/
2019-10-02 13:02:47,854 root [('SSL routines',
'ssl3_get_server_certificate', 'certificate verify failed')]
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 35, in
call_response_handler
with NeutronApi() as ovn_north:
File "/usr/share/ovirt-provider-ovn/neutron/neutron_api.py", line 77, in
__init__
self.ovsidl, self.idl = ovn_connection.connect()
File "/usr/share/ovirt-provider-ovn/ovn_connection.py", line 43, in connect
ovnconst.OVN_NORTHBOUND
File
"/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/connection.py", line
127, in from_server
helper = idlutils.get_schema_helper(connection_string, schema_name)
File "/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/idlutils.py",
line 118, in get_schema_helper
stream.Stream.open(connection))
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 226, in
open_block
error = stream.connect()
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802, in connect
self.socket.do_handshake()
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716, in
do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456, in
_raise_ssl_error
_raise_current_error()
File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in
exception_from_error_queue
raise exception_type(errors)
Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate
verify failed')]
My config:
# This file is automatically generated by engine-setup. Please do not edit manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641
[SSL]
https-enabled=true
#ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
#ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
#ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass
[OVIRT]
ovirt-host=https://engine.set.local:443
ovirt-base=/ovirt-engine
ovirt-auth-timeout=110
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-sso-client-secret=PzrrA0GBGwBzlKcf2s3j6PZK1BONTQG6FR6UxPWNqYY
#ovirt-sso-client-secret=HO0GftT4aT1SvuDZhqB0NInAeHr5OsNu
ovirt-admin-user-name=admin@internal
ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
[NETWORK]
port-security-enabled-default=True
[PROVIDER]
provider-host=engine.set.local
Now try '--reconfigure-optional-components' of engine-setup.
2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
написал(а):
On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> wrote:
Few hours later i'm fixed SSL error,
Would you share how you fixed the error?
This might also help to understand the next issue.
but get a new error
2019-10-02 01:02:38,369 root Starting server
2019-10-02 01:02:38,369 root Version: 1.2.22-1
2019-10-02 01:02:38,369 root Build date: 20190509114402
2019-10-02 01:02:38,369 root Githash: 38acbde
2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644
<
http://172.19.0.10:33644/> Request: POST /v2.0/tokens
2019-10-02 01:02:46,471 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password": "<PASSWORD_HIDDEN>"}}}
2019-10-02 01:02:46,472 root Error during SSO authentication invalid_request : Missing
parameter: 'client_secret'
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 69,
in post_tokens
if not auth.validate_token(token):
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in
validate_token
return auth.core.plugin.validate_token(token)
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 36, in validate_token
return self._is_user_name(token, _admin_user_name())
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 47, in _is_user_name
timeout=AuthorizationByUserName._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 131, in
get_token_info
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in
wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, in
_check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication invalid_request : Missing parameter:
'client_secret'
looks like the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
does not fit to engine's db.
Maybe most easy would be to move the current
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the configuration by using the
parameter '--reconfigure-optional-components' of engine-setup.
Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf modified
outside engine-setup?
> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> написал(а):
>
> Hello!
> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>
> When i try to test OVN get notification:
> «Import provider certificate»
> Do you approve trusting self signed certificate subject CN=Certificate Authority,
O=SET.LOCAL, SHA-1 fingerprint a9d9b91160bb306667a521e6f2c66037ddc437cb?
>
> When i’m press «Yes», see old problem:
> Failed to communicate with the external provider, see log for additional details.
>
> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
> timeout=self._timeout())
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
in create_token
> username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91,
in _get_sso_token
> timeout=timeout
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
in wrapper
> response = func(*args, **kwargs)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
in wrapper
> raise BadGateway(e)
> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
>
> [root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> # This file is automatically generated by engine-setup. Please do not edit manually
> [OVN REMOTE]
> ovn-remote=ssl:127.0.0.1:6641 <
http://127.0.0.1:6641/>
> [SSL]
> https-enabled=true
> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
> [OVIRT]
> ovirt-sso-client-id=ovirt-provider-ovn
> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
> ovirt-host=https://engine.set.local:443/ovirt-engine/
<
https://engine.set.local/ovirt-engine/>
> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
> [NETWORK]
> port-security-enabled-default=True
> [PROVIDER]
> provider-host=engine.set.local
>
> [root@engine ~]# python -c "import requests; \
> print requests.get('https://engine.set.local
<
https://engine.set.local/>';, \
> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
> <Response [200]>
>
> What’s wrong ?
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
<
https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
<
https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
<
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...