[Users] ssl error using ovirt-shell in 3.3.1

Michael Pasternak mpastern at redhat.com
Wed Nov 27 07:47:07 UTC 2013 

On 11/26/2013 07:29 PM, Gianluca Cecchi wrote:
> On Tue, Nov 26, 2013 at 4:06 PM, Michael Pasternak  wrote:
>> On 11/26/2013 04:09 PM, Gianluca Cecchi wrote:
>>> Hello,
>>> based on RHEVM 3.2 and 3.3 beta docs I'm trying connection from ovirt cli.
>>> I have:
>>> engine on f19 + ovirt stable ovirt-engine-3.3.1-2.fc19.noarch
>>> client from where I run cli is f19 with
>>> ovirt-engine-sdk-python-3.3.0.7-1.fc19.noarch
>>> ovirt-engine-cli-3.3.0.5-1.fc19.noarch
> 
>> this is client side certificate key, you should be using "ca_file" for the host CA.
> 
> Reading these documents:
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3-Beta/html/Command_Line_Shell_Guide/Attaining_an_SSL_certificate_from_RHEVM_for_a_REST_API_Client.html
> 
> http://www.ovirt.org/CLI
> 
> http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal
> 
> It is not clear to me the correct combination/requirements on client
> side to be able to connect

ovirt-shell -h
==============

  -K KEY_FILE, --key-file=KEY_FILE
                        specify client PEM key-file
  -C CERT_FILE, --cert-file=CERT_FILE
                        specify client PEM cert-file
  -A CA_FILE, --ca-file=CA_FILE
                        specify server CA cert-file

[oVirt shell (disconnected)]# help connect
=========================================

   ....
   * [key-file]        - The client PEM key file to use.
   * [cert-file]       - The client PEM certificate file to use.
   * [ca-file]         - The server CA certificate file to use.
   ...

http://www.ovirt.org/CLI#Connect
===============================

has very same description of certificates

- so as you see doesn't matter what option you choose, it has clear
distinction between client and server certificates,

and obviously if you have CA certificate (called ca.crt)
you should be using options called: "--cert-file", "-A CA_FILE/--ca-file=CA_FILE"

> 
> Suppose I keep empty (aka default values) the .ovirtshellrc file:
> 
> [cli]
> autoconnect = True
> autopage = True
> [ovirt-shell]
> username =
> timeout = None
> extended_prompt = False
> url =
> insecure = False
> filter = False
> session_timeout = None
> ca_file =
> dont_validate_cert_chain = False
> key_file = None
> password =
> cert_file =
> 
> And put all needed options into command line. The steps I understand I
> have to do are
> 
> 1) curl -o ca.crt http://f18engine/ca.crt
> (that should be "server CA cert-file", correct?)
> 
> 2) connect
> But with
> ovirt-shell -c -A ./ca.crt -l https://10.4.4.60:443/api -u admin at internal
> 
> I get
> error: _ssl.c:291: Both the key & certificate files must be specified

this is happens cause you have specified one of the client validation certificates
and as error states, both --key-file + --cert-file should be supplied for client validation.

> 
> that I don't find any reference for in the docs...
> Probably it is my fault with poor certificates/CA knowledge, but I
> presume it should be simpler for a user that only wants to interface
> to oVirt CLI have a correct sequence of steps
> 
> Also, from http://www.ovirt.org/CLI#Usage (referred in
> /usr/share/doc/ovirt-engine-cli-3.3.0.5/README)
> 
> ovirt-shell --help should give the help
> 
> but this seems not to be true:

please read again the docs, they all have clear documentation
where CA and where client side validation certificates.

> 
>  $ ovirt-shell --help
> URL:
> 
> Gianluca
> 


-- 

Michael Pasternak
RedHat, ENG-Virtualization R&D

More information about the Users mailing list