[ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
aleksey.maksimov at it-kb.ru
aleksey.maksimov at it-kb.ru
Tue Sep 27 17:39:33 UTC 2016
Hello oVirt guru's!
I want to configure MS Active Directory authentication for oVirt web UI.
I configured an External LDAP Provider in accordance with the instructions:
Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html
Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html
For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem).
Check file:
$ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem
/root/AD-LDAP-Files/end.pem: OK
Then I create JKS (Java Key Store) file (as described in Link #2):
# keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit
Certificate was added to keystore
Then I run ovirt-engine-extension-aaa-ldap-setup:
# ovirt-engine-extension-aaa-ldap-setup
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log
Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 3
Please enter Active Directory Forest name: holding.com
[ INFO ] Resolving Global Catalog SRV record for holding.com
[ INFO ] Resolving LDAP SRV record for holding.com
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
File path: /etc/ovirt-engine/aaa/myrootca.jks
[ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log:
...
2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE File
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND File path:
2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE /etc/ovirt-engine/aaa/myrootca.jks
2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988)
2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late
cacert, cacertfile, insecure = self._getCACert()
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert
error=e,
SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988)
Tell me, please, what am I doing wrong.
More information about the Users
mailing list