[Users] Specifying values for cert, key, and CA for ovirt-shell

Hi, I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area. But when I use the attached .ovirtshellrc file I get: error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Thanks, Bob

Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Joop

On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting: error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that? Thanks, Bob

Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark. Joop

On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection. And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead. Thanks, Bob

Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc [cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None Then I can do ovirt-shell and get a prompt that I'm connected. Notice I only filled in ca_file and NOT key_file/cert_file. Setting insecure=True will also work and then you won't need ca.crt Joop

On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote:
Hi,
I want to run ovirt-shell directly (as root) on the Engine. Presumably all the files I need for CA, key, and cert are in the /etc/pki area.
But when I use the attached .ovirtshellrc file I get:
error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
How can I specify an appropriate configuration to get this working? I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc
[cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None
Something must be different about our setups. This is where I started. In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401 The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem". I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node). Thanks, Bob

Hi, the short way of getting the correct certificate to connect to the engine, is downloading it using wget/curl/browser from the server itself: the url is: https://your_fqdn/ca.crt connect with this as "ca_file = /path/where/you/downloaded/ca.crt should work (always did for me). another way to start is without any ovirtshellrc, simply invoking: ovirt-shell you get a disconnected shell, then connect via: connect --url https://your-fqdn/api --username admin@internal --password --ca-file /path/to/ca.crt HTH Am 08.01.2014 23:08, schrieb Bob Doolittle:
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node).
Thanks, Bob
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

On 8-1-2014 23:08, Bob Doolittle wrote:
On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote:
Bob Doolittle wrote: > Hi, > > I want to run ovirt-shell directly (as root) on the Engine. > Presumably all the files I need for CA, key, and cert are in the > /etc/pki area. > > But when I use the attached .ovirtshellrc file I get: > > error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL > routines:SSL_CTX_use_PrivateKey_file:system lib > > How can I specify an appropriate configuration to get this working? > I would prefer to keep using SSL if possible. Just guessing but I don't think that your fqdn is localhost in your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc
[cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node).
You have missed the step where I downloaded ca.crt with wget :-)

On 01/09/2014 11:00 AM, noc wrote:
On 8-1-2014 23:08, Bob Doolittle wrote:
On 01/08/2014 04:21 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:31 PM, Joop wrote:
Bob Doolittle wrote:
On 01/08/2014 02:17 PM, Joop wrote: > Bob Doolittle wrote: >> Hi, >> >> I want to run ovirt-shell directly (as root) on the Engine. >> Presumably all the files I need for CA, key, and cert are in the >> /etc/pki area. >> >> But when I use the attached .ovirtshellrc file I get: >> >> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL >> routines:SSL_CTX_use_PrivateKey_file:system lib >> >> How can I specify an appropriate configuration to get this working? >> I would prefer to keep using SSL if possible. > Just guessing but I don't think that your fqdn is localhost in > your certs. Use your fqdn for the url variable.
Good thought. But now I am getting:
error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Some searching indicates that my keys and certs need to be in pem format, so maybe I have to convert them before use? Any tips on how to do that?
What happens if you leave out the ca_file/key_file/cert_file variables? I just played around with ovirt-shell and made a .ovirtshellrc file, on the engine, and don't remember setting these and I could login and run scripts Can't access my test environment right now so this is also a shot in the dark.
That's what I tried first. I get: error: server CA certificate file must be specified for SSL secured connection.
And if I don't specify https I get: error: No response returned from server. If you're using HTTP protocol against a SSL secured server, then try using HTTPS instead.
OK. Here is what I did: On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate and used the following .ovirtshellrc
[cli] autoconnect = True autopage = True [ovirt-shell] username = admin@internal timeout = -1 extended_prompt = False url = https://engine_fqdn/api insecure = False filter = False session_timeout = -1 ca_file = /root/ca.crt dont_validate_cert_chain = False key_file = None password = ****** cert_file = None
Something must be different about our setups. This is where I started.
In both cases, either "insecure = True" or when I specify the ca_file only, I get: error: [401] - Unauthorized, HTTP Status 401
The one difference is that you are using "ca_file = /root/ca.crt" whereas I am using "ca_file = ca.pem".
I can't seem to find any .crt files in the /etc/pki/ovirt-engine area (or, for that matter, in the /etc/pki/vdsm area on the node).
You have missed the step where I downloaded ca.crt with wget :-)
The "key_file" and "cert_file" parameters are only needed when your web server has been manually configured to require client SSL certificates, and this isn't the default configuration, so leave them with None as the value. The only SSL parameter that you need to change is "ca_file", and it should contain the absolute path name of the file containing the certificate of the authority that signed the certificate of the web server. If you didn't change the SSL configuration of the web server then this file is in "/etc/pki/ovirt-engine/ca.pem". So, to summarize, the parameters that you need to change are the following: url = https://your_fully_qualified_host_name/api username = admin@internal password = the_password_for_the_above_user ca_file = /etc/pki/ovirt-engine/ca.pem -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
participants (5)
-
Bob Doolittle
-
Joop
-
Juan Hernandez
-
noc
-
Sven Kieske