[ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
Ondra Machacek
omachace at redhat.com
Wed Sep 28 02:39:35 EDT 2016
On 09/27/2016 07:39 PM, aleksey.maksimov at it-kb.ru wrote:
> Hello oVirt guru's!
>
> I want to configure MS Active Directory authentication for oVirt web UI.
>
> I configured an External LDAP Provider in accordance with the instructions:
>
> Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html
>
> Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html
>
> For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem).
>
> Check file:
>
> $ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem
> /root/AD-LDAP-Files/end.pem: OK
>
> Then I create JKS (Java Key Store) file (as described in Link #2):
>
> # keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit
> Certificate was added to keystore
>
> Then I run ovirt-engine-extension-aaa-ldap-setup:
>
> # ovirt-engine-extension-aaa-ldap-setup
>
> [ INFO ] Stage: Initializing
> [ INFO ] Stage: Environment setup
> Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
> Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log
> Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos)
> [ INFO ] Stage: Environment packages setup
> [ INFO ] Stage: Programs detection
> [ INFO ] Stage: Environment customization
> Welcome to LDAP extension configuration program
> Available LDAP implementations:
> 1 - 389ds
> 2 - 389ds RFC-2307 Schema
> 3 - Active Directory
> 4 - IPA
> 5 - Novell eDirectory RFC-2307 Schema
> 6 - OpenLDAP RFC-2307 Schema
> 7 - OpenLDAP Standard Schema
> 8 - Oracle Unified Directory RFC-2307 Schema
> 9 - RFC-2307 Schema (Generic)
> 10 - RHDS
> 11 - RHDS RFC-2307 Schema
> 12 - iPlanet
> Please select: 3
> Please enter Active Directory Forest name: holding.com
> [ INFO ] Resolving Global Catalog SRV record for holding.com
> [ INFO ] Resolving LDAP SRV record for holding.com
> NOTE:
> It is highly recommended to use secure protocol to access the LDAP server.
> Protocol startTLS is the standard recommended method to do so.
> Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
> Use plain for test environments only.
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
> File path: /etc/ovirt-engine/aaa/myrootca.jks
"Please select method to obtain PEM encoded CA certificate"
File means the PEM file not the jks file. The jks is created by
aaa-ldap-setup.
> [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
> Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
>
>
> In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log:
>
> ...
> 2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE File
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND File path:
> 2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE /etc/ovirt-engine/aaa/myrootca.jks
> 2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988)
> 2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception
> Traceback (most recent call last):
> File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late
> cacert, cacertfile, insecure = self._getCACert()
> File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert
> error=e,
> SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988)
>
> Tell me, please, what am I doing wrong.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list