[openstack-dev] [magnum] k8s api tls_enabled mode testing
yuanying at oeilvert.org
Mon Oct 26 04:14:57 UTC 2015
Hi, Eli Qiao
If ca or client certs is wrong, I think client will get error before `client hello`.
I tested broken ca cert and client cert in my local environment.
See below logs.
yuanying at devstack:~/temp$ curl https://192.168.19.92:6443 --tlsv1.0 -v --key ./client.key --cert ./client.crt --cacert ./ca.crt
* Rebuilt URL to: https://192.168.19.92:6443/
* Hostname was NOT found in DNS cache
* Trying 192.168.19.92...
* Connected to 192.168.19.92 (192.168.19.92) port 6443 (#0)
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
On Wednesday, October 21, 2015 at 20:34, Qiao, Liyong wrote:
> I need your help on k8s api tls_enabled mode.
> Here’s my patch https://review.openstack.org/232421
> It is always failed on gate, but it works in my setup.
> Debug more I found that the ca cert return api return length with difference:
> On my setup：
> 10.238.157.49 - - [21/Oct/2015 19:16:17] "POST /v1/certificates HTTP/1.1" 201 3360
> 10.238.157.49 - - [21/Oct/2015 19:16:17] "GET /v1/certificates/d4bf6135-a3d0-4980-a785-e3f2900ca315 HTTP/1.1" 200 1357
> On gate:
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "POST /v1/certificates HTTP/1.1" 201 3352
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "GET /v1/certificates/a9aa1bbd-d624-4791-a4b9-e7a076c8bf58 HTTP/1.1" 200 1349
> Misses 8 Bit.
> I also print out the cert file content, but the length of both on gate and my setup are same.
> But failed on gate due to SSL exception.
> Does anyone know what will be the root cause?
> BR, Eli(Li Yong)Qiao
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev