[Users] ssl error using ovirt-shell in 3.3.1

Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch $ curl -o ovirt-f18engine.cer http://f18engine/ca.crt $ cat ~/.ovirtshellrc [cli] autoconnect = True autopage = True [ovirt-shell] username = "internal\\admin" timeout = None extended_prompt = False url = https://f18engine:443/api insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file = /home/gcecchi/ovirt-f18engine.cer cert_file seems not to work because I get $ ovirt-shell -c Password: error: server CA certificate file must be specified for SSL secured connection. I presume referring to https://bugzilla.redhat.com/show_bug.cgi?id=960983 still in verified state $ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer Password: error: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib ++++++++++++++++++++++++++++++++++++++++++ Welcome to oVirt shell ++++++++++++++++++++++++++++++++++++++++++ [oVirt shell (disconnected)]# exit If I change .ovirtshellrc contents with cert_file = and run $ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer Password: I get error: _ssl.c:291: Both the key & certificate files must be specified What I'm doing wrong? Gianluca

On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
$ curl -o ovirt-f18engine.cer http://f18engine/ca.crt
$ cat ~/.ovirtshellrc [cli] autoconnect = True autopage = True [ovirt-shell] username = "internal\\admin" timeout = None extended_prompt = False url = https://f18engine:443/api insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file = /home/gcecchi/ovirt-f18engine.cer
this is client side certificate key, you should be using "ca_file" for the host CA.
cert_file seems not to work because I get
$ ovirt-shell -c Password:
error: server CA certificate file must be specified for SSL secured connection.
I presume referring to https://bugzilla.redhat.com/show_bug.cgi?id=960983 still in verified state
$ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer Password:
error: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (disconnected)]# exit
If I change .ovirtshellrc contents with cert_file =
and run $ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer Password:
I get error: _ssl.c:291: Both the key & certificate files must be specified
What I'm doing wrong?
Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Michael Pasternak RedHat, ENG-Virtualization R&D

On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
this is client side certificate key, you should be using "ca_file" for the host CA.
Reading these documents: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua... http://www.ovirt.org/CLI http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal It is not clear to me the correct combination/requirements on client side to be able to connect Suppose I keep empty (aka default values) the .ovirtshellrc file: [cli] autoconnect = True autopage = True [ovirt-shell] username = timeout = None extended_prompt = False url = insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file = And put all needed options into command line. The steps I understand I have to do are 1) curl -o ca.crt http://f18engine/ca.crt (that should be "server CA cert-file", correct?) 2) connect But with ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin@internal I get error: _ssl.c:291: Both the key & certificate files must be specified that I don't find any reference for in the docs... Probably it is my fault with poor certificates/CA knowledge, but I presume it should be simpler for a user that only wants to interface to oVirt CLI have a correct sequence of steps Also, from http://www.ovirt.org/CLI#Usage (referred in /usr/share/doc/ovirt-engine-cli-3.3.0.5/README) ovirt-shell --help should give the help but this seems not to be true: $ ovirt-shell --help URL: Gianluca

On Tue, Nov 26, 2013 at 6:29 PM, Gianluca Cecchi wrote:
On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
Uhm, strange.
From another client that is f19 too and incidentally contains an oVirt AIO configuration and so has enabled the ovirt stable repo I have ovirt-engine-sdk-python-3.3.0.8-1.fc19.noarch ovirt-engine-cli-3.3.0.6-1.fc19.noarch
and I'm perfectly able to connect with the same steps as the not working one. $ wget -O f18engine.crt http://10.4.4.60:/ca.crt --2013-11-26 22:03:41-- http://10.4.4.60/ca.crt Connecting to 10.4.4.60:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1376 (1.3K) [application/x-x509-ca-cert] Saving to: ‘f18engine.crt’ 100%[====================================================================================================>] 1,376 --.-K/s in 0.001s 2013-11-26 22:03:42 (1.41 MB/s) - ‘f18engine.crt’ saved [1376/1376] [g.cecchi@tekkaman ~]$ ovirt-shell -c -l https://10.4.4.60:443/api -A f18engine.crt -u "admin@internal" Password: [3;J ==========================================
connected to oVirt manager 3.3.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++ Welcome to oVirt shell ++++++++++++++++++++++++++++++++++++++++++ [oVirt shell (connected)]# exit while on the not working standard f19 client (see above) I have ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch as provided by upstream f19 (dated 10/10 in updates...) Could it be this one the reason? Anyone able to verify on standard f19 without ovirt repo against a 3.3.1 install? Thanks, Gianluca

On 11/26/2013 11:18 PM, Gianluca Cecchi wrote:
On Tue, Nov 26, 2013 at 6:29 PM, Gianluca Cecchi wrote:
On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
Uhm, strange. From another client that is f19 too and incidentally contains an oVirt AIO configuration and so has enabled the ovirt stable repo I have ovirt-engine-sdk-python-3.3.0.8-1.fc19.noarch ovirt-engine-cli-3.3.0.6-1.fc19.noarch
and I'm perfectly able to connect with the same steps as the not working one.
$ wget -O f18engine.crt http://10.4.4.60:/ca.crt --2013-11-26 22:03:41-- http://10.4.4.60/ca.crt Connecting to 10.4.4.60:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1376 (1.3K) [application/x-x509-ca-cert] Saving to: ‘f18engine.crt’
100%[====================================================================================================>] 1,376 --.-K/s in 0.001s
2013-11-26 22:03:42 (1.41 MB/s) - ‘f18engine.crt’ saved [1376/1376]
[g.cecchi@tekkaman ~]$ ovirt-shell -c -l https://10.4.4.60:443/api -A f18engine.crt -u "admin@internal"
you probably have clean ~/.ovirtshellrc here without assigned one of the client's certificates.
Password: [3;J
==========================================
connected to oVirt manager 3.3.0.0 <<< ==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# exit
while on the not working standard f19 client (see above) I have ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch as provided by upstream f19 (dated 10/10 in updates...) Could it be this one the reason? Anyone able to verify on standard f19 without ovirt repo against a 3.3.1 install?
Thanks, Gianluca
-- Michael Pasternak RedHat, ENG-Virtualization R&D

On 11/26/2013 07:29 PM, Gianluca Cecchi wrote:
On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
Hello, based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli. I have: engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch client from where I run cli is f19 with ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch ovirt-engine-cli-3.3.0.5-1.fc19.noarch
this is client side certificate key, you should be using "ca_file" for the host CA.
Reading these documents:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal
It is not clear to me the correct combination/requirements on client side to be able to connect
ovirt-shell -h ============== -K KEY_FILE, --key-file=KEY_FILE specify client PEM key-file -C CERT_FILE, --cert-file=CERT_FILE specify client PEM cert-file -A CA_FILE, --ca-file=CA_FILE specify server CA cert-file [oVirt shell (disconnected)]# help connect ========================================= .... * [key-file] - The client PEM key file to use. * [cert-file] - The client PEM certificate file to use. * [ca-file] - The server CA certificate file to use. ... http://www.ovirt.org/CLI#Connect =============================== has very same description of certificates - so as you see doesn't matter what option you choose, it has clear distinction between client and server certificates, and obviously if you have CA certificate (called ca.crt) you should be using options called: "--cert-file", "-A CA_FILE/--ca-file=CA_FILE"
Suppose I keep empty (aka default values) the .ovirtshellrc file:
[cli] autoconnect = True autopage = True [ovirt-shell] username = timeout = None extended_prompt = False url = insecure = False filter = False session_timeout = None ca_file = dont_validate_cert_chain = False key_file = None password = cert_file =
And put all needed options into command line. The steps I understand I have to do are
1) curl -o ca.crt http://f18engine/ca.crt (that should be "server CA cert-file", correct?)
2) connect But with ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin@internal
I get error: _ssl.c:291: Both the key & certificate files must be specified
this is happens cause you have specified one of the client validation certificates and as error states, both --key-file + --cert-file should be supplied for client validation.
that I don't find any reference for in the docs... Probably it is my fault with poor certificates/CA knowledge, but I presume it should be simpler for a user that only wants to interface to oVirt CLI have a correct sequence of steps
Also, from http://www.ovirt.org/CLI#Usage (referred in /usr/share/doc/ovirt-engine-cli-3.3.0.5/README)
ovirt-shell --help should give the help
but this seems not to be true:
please read again the docs, they all have clear documentation where CA and where client side validation certificates.
$ ovirt-shell --help URL:
Gianluca
-- Michael Pasternak RedHat, ENG-Virtualization R&D
participants (2)
-
Gianluca Cecchi
-
Michael Pasternak