On 01/09/2014 11:00 AM, noc wrote:
On 8-1-2014 23:08, Bob Doolittle wrote:
On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote: > Bob Doolittle wrote: >> Hi, >> >> I want to run ovirt-shell directly (as root) on the Engine. >> Presumably all the files I need for CA, key, and cert are in the >> /etc/pki area. >> >> But when I use the attached .ovirtshellrc file I get: >> >> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL >> routines:SSL_CTX_use_PrivateKey_file:system lib >> >> How can I specify an appropriate configuration to get this working? >> I would prefer to keep using SSL if possible. > Just guessing but I don't think that your fqdn is localhost in > your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc
[cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node).
You have missed the step where I downloaded ca.crt with wget :-)
The "key_file" and "cert_file" parameters are only needed when your web server has been manually configured to require client SSL certificates, and this isn't the default configuration, so leave them with None as the value. The only SSL parameter that you need to change is "ca_file", and it should contain the absolute path name of the file containing the certificate of the authority that signed the certificate of the web server. If you didn't change the SSL configuration of the web server then this file is in "/etc/pki/ovirt-engine/ca.pem". So, to summarize, the parameters that you need to change are the following: url = https://your_fully_qualified_host_name/api username = admin@internal password = the_password_for_the_above_user ca_file = /etc/pki/ovirt-engine/ca.pem -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.