On Tue, Nov 26, 2013 at 6:29 PM, Gianluca Cecchi wrote:

On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:

...

On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:

...

Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch

Uhm, strange.

From another client that is f19 too and incidentally contains an oVirt AIO configuration and so has enabled the ovirt stable repo I have ovirt-engine-sdk-python-3.3.0.8-1.fc19.noarch ovirt-engine-cli-3.3.0.6-1.fc19.noarch

and I'm perfectly able to connect with the same steps as the not working one. $ wget -O f18engine.crt http://10.4.4.60:/ca.crt --2013-11-26 22:03:41-- http://10.4.4.60/ca.crt Connecting to 10.4.4.60:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1376 (1.3K) [application/x-x509-ca-cert] Saving to: ‘f18engine.crt’ 100%[====================================================================================================>] 1,376 --.-K/s in 0.001s 2013-11-26 22:03:42 (1.41 MB/s) - ‘f18engine.crt’ saved [1376/1376] [g.cecchi@tekkaman ~]$ ovirt-shell -c -l https://10.4.4.60:443/api -A f18engine.crt -u "admin@internal" Password:  ==========================================

...

...

connected to oVirt manager 3.3.0.0 <<< ==========================================

++++++++++++++++++++++++++++++++++++++++++ Welcome to oVirt shell ++++++++++++++++++++++++++++++++++++++++++ [oVirt shell (connected)]# exit while on the not working standard f19 client (see above) I have ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch as provided by upstream f19 (dated 10/10 in updates...) Could it be this one the reason? Anyone able to verify on standard f19 without ovirt repo against a 3.3.1 install? Thanks, Gianluca

On 11/26/2013 07:29 PM, Gianluca Cecchi wrote:

On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:

...

On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:

...

Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch

...

this is client side certificate key, you should be using "ca_file" for the host CA.

Reading these documents:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...

http://www.ovirt.org/CLI

http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal

It is not clear to me the correct combination/requirements on client side to be able to connect

ovirt-shell -h ============== -K KEY_FILE, --key-file=KEY_FILE specify client PEM key-file -C CERT_FILE, --cert-file=CERT_FILE specify client PEM cert-file -A CA_FILE, --ca-file=CA_FILE specify server CA cert-file [oVirt shell (disconnected)]# help connect ========================================= .... * [key-file] - The client PEM key file to use. * [cert-file] - The client PEM certificate file to use. * [ca-file] - The server CA certificate file to use. ... http://www.ovirt.org/CLI#Connect =============================== has very same description of certificates - so as you see doesn't matter what option you choose, it has clear distinction between client and server certificates, and obviously if you have CA certificate (called ca.crt) you should be using options called: "--cert-file", "-A CA_FILE/--ca-file=CA_FILE"

Suppose I keep empty (aka default values) the .ovirtshellrc file:

[cli] autoconnect = True autopage = True [ovirt-shell] username = timeout = None extended_prompt = False url = insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file =

And put all needed options into command line. The steps I understand I have to do are

1) curl -o ca.crt http://f18engine/ca.crt (that should be "server CA cert-file", correct?)

2) connect But with ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin@internal

I get error: _ssl.c:291: Both the key & certificate files must be specified

this is happens cause you have specified one of the client validation certificates and as error states, both --key-file + --cert-file should be supplied for client validation.

that I don't find any reference for in the docs... Probably it is my fault with poor certificates/CA knowledge, but I presume it should be simpler for a user that only wants to interface to oVirt CLI have a correct sequence of steps

Also, from http://www.ovirt.org/CLI#Usage (referred in /usr/share/doc/ovirt-engine-cli-3.3.0.5/README)

ovirt-shell --help should give the help

but this seems not to be true:

please read again the docs, they all have clear documentation where CA and where client side validation certificates.

$ ovirt-shell --help URL:

Gianluca

-- Michael Pasternak RedHat, ENG-Virtualization R&D