[ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)

aleksey.maksimov at it-kb.ru aleksey.maksimov at it-kb.ru
Tue Sep 27 17:39:33 UTC 2016 

Hello oVirt guru's!

I want to configure MS Active Directory authentication for oVirt web UI.

I configured an External LDAP Provider in accordance with the instructions:

Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html

Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html

For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem).

Check file:

$ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem
/root/AD-LDAP-Files/end.pem: OK

Then I create  JKS (Java Key Store) file (as described in Link #2):

# keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit
Certificate was added to keystore

Then I run ovirt-engine-extension-aaa-ldap-setup:

# ovirt-engine-extension-aaa-ldap-setup

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log
          Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IPA
           5 - Novell eDirectory RFC-2307 Schema
           6 - OpenLDAP RFC-2307 Schema
           7 - OpenLDAP Standard Schema
           8 - Oracle Unified Directory RFC-2307 Schema
           9 - RFC-2307 Schema (Generic)
          10 - RHDS
          11 - RHDS RFC-2307 Schema
          12 - iPlanet
          Please select: 3
          Please enter Active Directory Forest name: holding.com
[ INFO  ] Resolving Global Catalog SRV record for holding.com
[ INFO  ] Resolving LDAP SRV record for holding.com
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
          File path: /etc/ovirt-engine/aaa/myrootca.jks
[ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
 

In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log:

...
2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    File
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE
2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 File path:
2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    /etc/ovirt-engine/aaa/myrootca.jks
2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988)
2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception
Traceback (most recent call last):
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late
    cacert, cacertfile, insecure = self._getCACert()
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert
    error=e,
SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988)

Tell me, please, what am I doing wrong.

More information about the Users mailing list