[Users] Specifying values for cert, key, and CA for ovirt-shell

Juan Hernandez jhernand at redhat.com
Thu Jan 9 06:39:36 EST 2014


On 01/09/2014 11:00 AM, noc wrote:
> On 8-1-2014 23:08, Bob Doolittle wrote:
>>
>> On 01/08/2014 04:21 PM, Joop wrote:
>>> Bob Doolittle wrote:
>>>>
>>>> On 01/08/2014 02:31 PM, Joop wrote:
>>>>> Bob Doolittle wrote:
>>>>>>
>>>>>> On 01/08/2014 02:17 PM, Joop wrote:
>>>>>>> Bob Doolittle wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I want to run ovirt-shell directly (as root) on the Engine. 
>>>>>>>> Presumably all the files I need for CA, key, and cert are in the 
>>>>>>>> /etc/pki area.
>>>>>>>>
>>>>>>>> But when I use the attached .ovirtshellrc file I get:
>>>>>>>>
>>>>>>>> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL 
>>>>>>>> routines:SSL_CTX_use_PrivateKey_file:system lib
>>>>>>>>
>>>>>>>> How can I specify an appropriate configuration to get this working?
>>>>>>>> I would prefer to keep using SSL if possible.
>>>>>>> Just guessing but I don't think that your fqdn is localhost in 
>>>>>>> your certs. Use your fqdn for the url variable.
>>>>>>
>>>>>> Good thought. But now I am getting:
>>>>>>
>>>>>> error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL 
>>>>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>>>>>
>>>>>> Some searching indicates that my keys and certs need to be in pem 
>>>>>> format, so maybe I have to convert them before use? Any tips on 
>>>>>> how to do that?
>>>>>>
>>>>> What happens if you leave out the ca_file/key_file/cert_file 
>>>>> variables?
>>>>> I just played around with ovirt-shell and made a .ovirtshellrc 
>>>>> file, on the engine, and don't remember setting these and I could 
>>>>> login and run scripts
>>>>> Can't access my test environment right now so this is also a shot 
>>>>> in the dark.
>>>>
>>>> That's what I tried first. I get:
>>>> error: server CA certificate file must be specified for SSL secured 
>>>> connection.
>>>>
>>>> And if I don't specify https I get:
>>>> error: No response returned from server. If you're using HTTP protocol
>>>> against a SSL secured server, then try using HTTPS instead.
>>>>
>>> OK. Here is what I did:
>>> On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate
>>> and used the following .ovirtshellrc
>>>
>>> [cli]
>>> autoconnect = True
>>> autopage = True
>>> [ovirt-shell]
>>> username = admin at internal
>>> timeout = -1
>>> extended_prompt = False
>>> url = https://engine_fqdn/api
>>> insecure = False
>>> filter = False
>>> session_timeout = -1
>>> ca_file = /root/ca.crt
>>> dont_validate_cert_chain = False
>>> key_file = None
>>> password = ******
>>> cert_file = None
>>
>> Something must be different about our setups. This is where I started.
>>
>> In both cases, either "insecure = True" or when I specify the ca_file 
>> only, I get:
>> error: [401] - Unauthorized, HTTP Status 401
>>
>> The one difference is that you are using "ca_file = /root/ca.crt" 
>> whereas I am using "ca_file = ca.pem".
>>
>> I can't seem to find any .crt files in the /etc/pki/ovirt-engine area 
>> (or, for that matter, in the /etc/pki/vdsm area on the node).
> You have missed the step where I downloaded ca.crt with wget :-)
> 

The "key_file" and "cert_file" parameters are only needed when your web
server has been manually configured to require client SSL certificates,
and this isn't the default configuration, so leave them with None as the
value.

The only SSL parameter that you need to change is "ca_file", and it
should contain the absolute path name of the file containing the
certificate of the authority that signed the certificate of the web
server. If you didn't change the SSL configuration of the web server
then this file is in "/etc/pki/ovirt-engine/ca.pem". So, to summarize,
the parameters that you need to change are the following:

  url = https://your_fully_qualified_host_name/api
  username = admin at internal
  password = the_password_for_the_above_user
  ca_file = /etc/pki/ovirt-engine/ca.pem

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.


More information about the Users mailing list