[Users] Specifying values for cert, key, and CA for ovirt-shell

Thu Jan 9 10:00:30 UTC 2014

On 8-1-2014 23:08, Bob Doolittle wrote:
>
> On 01/08/2014 04:21 PM, Joop wrote:
>> Bob Doolittle wrote:
>>>
>>> On 01/08/2014 02:31 PM, Joop wrote:
>>>> Bob Doolittle wrote:
>>>>>
>>>>> On 01/08/2014 02:17 PM, Joop wrote:
>>>>>> Bob Doolittle wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I want to run ovirt-shell directly (as root) on the Engine. 
>>>>>>> Presumably all the files I need for CA, key, and cert are in the 
>>>>>>> /etc/pki area.
>>>>>>>
>>>>>>> But when I use the attached .ovirtshellrc file I get:
>>>>>>>
>>>>>>> error: [Errno 336265218] _ssl.c:341: error:140B0002:SSL 
>>>>>>> routines:SSL_CTX_use_PrivateKey_file:system lib
>>>>>>>
>>>>>>> How can I specify an appropriate configuration to get this working?
>>>>>>> I would prefer to keep using SSL if possible.
>>>>>> Just guessing but I don't think that your fqdn is localhost in 
>>>>>> your certs. Use your fqdn for the url variable.
>>>>>
>>>>> Good thought. But now I am getting:
>>>>>
>>>>> error: [Errno 336265225] _ssl.c:341: error:140B0009:SSL 
>>>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>>>>
>>>>> Some searching indicates that my keys and certs need to be in pem 
>>>>> format, so maybe I have to convert them before use? Any tips on 
>>>>> how to do that?
>>>>>
>>>> What happens if you leave out the ca_file/key_file/cert_file 
>>>> variables?
>>>> I just played around with ovirt-shell and made a .ovirtshellrc 
>>>> file, on the engine, and don't remember setting these and I could 
>>>> login and run scripts
>>>> Can't access my test environment right now so this is also a shot 
>>>> in the dark.
>>>
>>> That's what I tried first. I get:
>>> error: server CA certificate file must be specified for SSL secured 
>>> connection.
>>>
>>> And if I don't specify https I get:
>>> error: No response returned from server. If you're using HTTP protocol
>>> against a SSL secured server, then try using HTTPS instead.
>>>
>> OK. Here is what I did:
>> On ovirt-engine: wget https://engine_fqdn/ca.crt --no-check-certificate
>> and used the following .ovirtshellrc
>>
>> [cli]
>> autoconnect = True
>> autopage = True
>> [ovirt-shell]
>> username = admin at internal
>> timeout = -1
>> extended_prompt = False
>> url = https://engine_fqdn/api
>> insecure = False
>> filter = False
>> session_timeout = -1
>> ca_file = /root/ca.crt
>> dont_validate_cert_chain = False
>> key_file = None
>> password = ******
>> cert_file = None
>
> Something must be different about our setups. This is where I started.
>
> In both cases, either "insecure = True" or when I specify the ca_file 
> only, I get:
> error: [401] - Unauthorized, HTTP Status 401
>
> The one difference is that you are using "ca_file = /root/ca.crt" 
> whereas I am using "ca_file = ca.pem".
>
> I can't seem to find any .crt files in the /etc/pki/ovirt-engine area 
> (or, for that matter, in the /etc/pki/vdsm area on the node).
You have missed the step where I downloaded ca.crt with wget :-)