3:09 p.m.
Hello,
based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli.
I have:
engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch
client from where I run cli is f19 with
ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch
ovirt-engine-cli-3.3.0.5-1.fc19.noarch
$ curl -o ovirt-f18engine.cer http://f18engine/ca.crt
$ cat ~/.ovirtshellrc
[cli]
autoconnect = True
autopage = True
[ovirt-shell]
username = "internal\\admin"
timeout = None
extended_prompt = False
url = https://f18engine:443/api
insecure = False
filter = False
session_timeout = None
ca_file =
dont_validate_cert_chain = False
key_file = None
password =
cert_file = /home/gcecchi/ovirt-f18engine.cer
cert_file seems not to work because I get
$ ovirt-shell -c
Password:
error: server CA certificate file must be specified for SSL secured connection.
I presume referring to
https://bugzilla.redhat.com/show_bug.cgi?id=960983
still in verified state
$ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer
Password:
error: [Errno 336265225] _ssl.c:351: error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (disconnected)]# exit
If I change .ovirtshellrc contents with
cert_file =
and run
$ ovirt-shell -c -A /home/gcecchi/ovirt-f18engine.cer
Password:
I get
error: _ssl.c:291: Both the key & certificate files must be specified
What I'm doing wrong?
Gianluca
6:29 p.m.
On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak wrote:
this is client side certificate key, you should be using
"ca_file" for the host CA.
Reading these documents:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Vir...
http://www.ovirt.org/CLI
http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal
It is not clear to me the correct combination/requirements on client
side to be able to connect
Suppose I keep empty (aka default values) the .ovirtshellrc file:
[cli]
autoconnect = True
autopage = True
[ovirt-shell]
username =
timeout = None
extended_prompt = False
url =
insecure = False
filter = False
session_timeout = None
ca_file =
dont_validate_cert_chain = False
key_file = None
password =
cert_file =
And put all needed options into command line. The steps I understand I
have to do are
1) curl -o ca.crt http://f18engine/ca.crt
(that should be "server CA cert-file", correct?)
2) connect
But with
ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin@internal
I get
error: _ssl.c:291: Both the key & certificate files must be specified
that I don't find any reference for in the docs...
Probably it is my fault with poor certificates/CA knowledge, but I
presume it should be simpler for a user that only wants to interface
to oVirt CLI have a correct sequence of steps
Also, from http://www.ovirt.org/CLI#Usage (referred in
/usr/share/doc/ovirt-engine-cli-3.3.0.5/README)
ovirt-shell --help should give the help
but this seems not to be true:
$ ovirt-shell --help
URL:
Gianluca
10:18 p.m.
On Tue, Nov 26, 2013 at 6:29 PM, Gianluca Cecchi wrote:
Uhm, strange.
From another client that is f19 too and incidentally contains an oVirt
AIO configuration and so has enabled the ovirt stable repo I have
ovirt-engine-sdk-python-3.3.0.8-1.fc19.noarch
ovirt-engine-cli-3.3.0.6-1.fc19.noarch
and I'm perfectly able to connect with the same steps as the not working one.
$ wget -O f18engine.crt http://10.4.4.60:/ca.crt
--2013-11-26 22:03:41-- http://10.4.4.60/ca.crt
Connecting to 10.4.4.60:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1376 (1.3K) [application/x-x509-ca-cert]
Saving to: ‘f18engine.crt’
100%[====================================================================================================>]
1,376 --.-K/s in 0.001s
2013-11-26 22:03:42 (1.41 MB/s) - ‘f18engine.crt’ saved [1376/1376]
[g.cecchi@tekkaman ~]$ ovirt-shell -c -l https://10.4.4.60:443/api -A
f18engine.crt -u "admin@internal"
Password:
[3;J
==========================================
>> connected to oVirt manager 3.3.0.0 <<<
==========================================
++++++++++++++++++++++++++++++++++++++++++
Welcome to oVirt shell
++++++++++++++++++++++++++++++++++++++++++
[oVirt shell (connected)]# exit
while on the not working standard f19 client (see above) I have
ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch
ovirt-engine-cli-3.3.0.5-1.fc19.noarch
as provided by upstream f19 (dated 10/10 in updates...)
Could it be this one the reason?
Anyone able to verify on standard f19 without ovirt repo against a
3.3.1 install?
Thanks,
Gianluca
8:47 a.m.
On 11/26/2013 07:29 PM, Gianluca Cecchi wrote:
ovirt-shell -h
==============
-K KEY_FILE, --key-file=KEY_FILE
specify client PEM key-file
-C CERT_FILE, --cert-file=CERT_FILE
specify client PEM cert-file
-A CA_FILE, --ca-file=CA_FILE
specify server CA cert-file
[oVirt shell (disconnected)]# help connect
=========================================
....
* [key-file] - The client PEM key file to use.
* [cert-file] - The client PEM certificate file to use.
* [ca-file] - The server CA certificate file to use.
...
http://www.ovirt.org/CLI#Connect
===============================
has very same description of certificates
- so as you see doesn't matter what option you choose, it has clear
distinction between client and server certificates,
and obviously if you have CA certificate (called ca.crt)
you should be using options called: "--cert-file", "-A
CA_FILE/--ca-file=CA_FILE"
this is happens cause you have specified one of the client validation certificates
and as error states, both --key-file + --cert-file should be supplied for client
validation.
please read again the docs, they all have clear documentation
where CA and where client side validation certificates.
--
Michael Pasternak
RedHat, ENG-Virtualization R&D
4150
days inactive
4151
days old
5 comments
2 participants
participants (2)
-
Gianluca Cecchi -
Michael Pasternak