[openstack-dev] [magnum] k8s api tls_enabled mode testing

OTSUKA, Motohiro yuanying at oeilvert.org
Mon Oct 26 04:14:57 UTC 2015


Hi, Eli Qiao

If ca or client certs is wrong, I think client will get error before `client hello`.
I tested broken ca cert and client cert in my local environment.
See below logs.

yuanying at devstack:~/temp$ curl https://192.168.19.92:6443 --tlsv1.0 -v  --key ./client.key --cert ./client.crt --cacert ./ca.crt
* Rebuilt URL to: https://192.168.19.92:6443/
* Hostname was NOT found in DNS cache
*   Trying 192.168.19.92...
* Connected to 192.168.19.92 (192.168.19.92) port 6443 (#0)
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)



--  
OTSUKA, Motohiro
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


On Wednesday, October 21, 2015 at 20:34, Qiao, Liyong wrote:

> Hello,
> I need your help on k8s api tls_enabled mode.
> Here’s my patch https://review.openstack.org/232421
>   
> It is always failed on gate, but it works in my setup.
> Debug more I found that the ca cert return api return length with difference:
>   
> On my setup:
> 10.238.157.49 - - [21/Oct/2015 19:16:17] "POST /v1/certificates HTTP/1.1" 201 3360
>> 10.238.157.49 - - [21/Oct/2015 19:16:17] "GET /v1/certificates/d4bf6135-a3d0-4980-a785-e3f2900ca315 HTTP/1.1" 200 1357
>   
> On gate:
>   
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "POST /v1/certificates HTTP/1.1" 201 3352
> 127.0.0.1 - - [21/Oct/2015 10:59:40] "GET /v1/certificates/a9aa1bbd-d624-4791-a4b9-e7a076c8bf58 HTTP/1.1" 200 1349
>   
> Misses 8 Bit.
>   
> I also print out the cert file content, but the length of both on gate and my setup are same.
> But failed on gate due to SSL exception.
> Does anyone know what will be the root cause?
>   
>   
>   
> BR, Eli(Li Yong)Qiao
>   
>  
>  
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>  
>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151026/8633f575/attachment.html>


More information about the OpenStack-dev mailing list