[ovirt-users] ovirt-engine-extension-aaa-ldap-setup > [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)

Ondra Machacek omachace at redhat.com
Wed Sep 28 06:39:35 UTC 2016 

On 09/27/2016 07:39 PM, aleksey.maksimov at it-kb.ru wrote:
> Hello oVirt guru's!
>
> I want to configure MS Active Directory authentication for oVirt web UI.
>
> I configured an External LDAP Provider in accordance with the instructions:
>
> Link #1) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html
>
> Link #2) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Setting_Up_SSL_or_TLS_Connections_between_the_Manager_and_an_LDAP_Server.html
>
> For support LDAP over TLS I did file with all Root certificates (~/AD-LDAP-Files/myrootca_chain.pem).
>
> Check file:
>
> $ openssl verify -CAfile ~/AD-LDAP-Files/myrootca_chain.pem ~/AD-LDAP-Files/ldapserver.pem
> /root/AD-LDAP-Files/end.pem: OK
>
> Then I create  JKS (Java Key Store) file (as described in Link #2):
>
> # keytool -importcert -noprompt -trustcacerts -alias myrootcachain -file ~/AD-LDAP-Files/myrootca_chain.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit
> Certificate was added to keystore
>
> Then I run ovirt-engine-extension-aaa-ldap-setup:
>
> # ovirt-engine-extension-aaa-ldap-setup
>
> [ INFO  ] Stage: Initializing
> [ INFO  ] Stage: Environment setup
>           Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>           Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log
>           Version: otopi-1.5.2 (otopi-1.5.2-1.el7.centos)
> [ INFO  ] Stage: Environment packages setup
> [ INFO  ] Stage: Programs detection
> [ INFO  ] Stage: Environment customization
>           Welcome to LDAP extension configuration program
>           Available LDAP implementations:
>            1 - 389ds
>            2 - 389ds RFC-2307 Schema
>            3 - Active Directory
>            4 - IPA
>            5 - Novell eDirectory RFC-2307 Schema
>            6 - OpenLDAP RFC-2307 Schema
>            7 - OpenLDAP Standard Schema
>            8 - Oracle Unified Directory RFC-2307 Schema
>            9 - RFC-2307 Schema (Generic)
>           10 - RHDS
>           11 - RHDS RFC-2307 Schema
>           12 - iPlanet
>           Please select: 3
>           Please enter Active Directory Forest name: holding.com
> [ INFO  ] Resolving Global Catalog SRV record for holding.com
> [ INFO  ] Resolving LDAP SRV record for holding.com
>           NOTE:
>           It is highly recommended to use secure protocol to access the LDAP server.
>           Protocol startTLS is the standard recommended method to do so.
>           Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
>           Use plain for test environments only.
>           Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
>           Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
>           File path: /etc/ovirt-engine/aaa/myrootca.jks

"Please select method to obtain PEM encoded CA certificate"

File means the PEM file not the jks file. The jks is created by
aaa-ldap-setup.

> [ ERROR ] Invalid CA certificate: unknown error (_ssl.c:2988)
>           Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
>
>
> In the log /tmp/ovirt-engine-extension-aaa-ldap-setup-20160927202843-npv8ru.log:
>
> ...
> 2016-09-27 20:28:57 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    File
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human human.queryString:145 query OVAAALDAP_LDAP_CACERT_FILE
> 2016-09-27 20:29:01 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 File path:
> 2016-09-27 20:29:10 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    /etc/ovirt-engine/aaa/myrootca.jks
> 2016-09-27 20:29:10 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:756 Invalid CA certificate: unknown error (_ssl.c:2988)
> 2016-09-27 20:29:10 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:757 Exception
> Traceback (most recent call last):
>   File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 748, in _customization_late
>     cacert, cacertfile, insecure = self._getCACert()
>   File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 366, in _getCACert
>     error=e,
> SoftRuntimeError: Invalid CA certificate: unknown error (_ssl.c:2988)
>
> Tell me, please, what am I doing wrong.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list