Open Stack

But in our setup SSL termination is implemented on a HAproxy node ...

On Sat, Apr 6, 2019 at 8:52 AM Massimo Sgaravatto <
massimo.sgaravatto at gmail.com> wrote:

> My OpenStack ec2 configuration is a real mess, but ec2 is working with
> SSL. I have the following settings concerning SSL:
>
>
> [DEFAULT]
> ssl_ca_file = <cert-file>
>
> [keystone_authtoken]
> cafile = <cert-file>
>
> [metadata]
> auth_ca_cert = <cert-file>
>
> Very likely they aren't all needed ...
>
>
>
> On Sat, Apr 6, 2019 at 1:37 AM Georgios Dimitrakakis <giorgis at acmac.uoc.gr>
> wrote:
>
>>  Dear all,
>>
>>  I am trying to setup ec2-api with SSL support on Rocky and no matter
>>  what I do I am getting the following error in the logs
>>  (/var/log/messages)
>>
>>  ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure
>>  (_ssl.c:1822)
>>
>>  and in the end
>>
>>  ec2-api: SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did
>>  not return a certificate (_ssl.c:1822)
>>
>>  The full trace can be found here: https://pastebin.com/iPHXudag (where
>>  I have hidden the hostname)
>>
>>  What I have done is that in "ec2api.conf" I have set the ca_file,
>>  cert_file and key_file pointing to the same files that Openstack's
>>  Dashboard is using which can be accessed without a problem.
>>
>>  Afterwards I have restarted all ec2 services meaning both the
>>  "openstack-ec2-api-metadata.service" and "openstack-ec2-api.service".
>>
>>  Using openssl cli and trying to connect to port 8788 I am seeing
>>  somewhere in the middle the error:
>>  SSL_connect:SSLv3 write client key exchange A write to 0x26c3e30
>>  [0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in
>>  SSLv3 write finished A
>>  SSL_connect:error in SSLv3 write finished A
>>  write:errno=32
>>
>>  The same openssl cli for port 443 (dashboard) works out of the box
>>  without a problem
>>
>>  Obviously the cert is not served properly but cannot figure out why...
>>
>>  Needless to say that I have tripled checked for any spelling mistakes,
>>  permissions etc. but I am open to suggestions.
>>
>>  I have set ec2api to "Debug" mode but there isn't anything useful in
>>  the logs and in fact is not writing anything except a line like the one
>>  below when trying to access it:
>>
>>  2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-] (211954)
>>  accepted ('xxx.xxx.xxx.xxx', 60154) server
>>  /usr/lib/python2.7/site-packages/eventlet/wsgi.py:883
>>
>>  Can someone shed some light please?
>>
>>  If there is anything that you would like me to share with you like the
>>  openssl CLI's output or the ec2api.log please let me know.
>>
>>  Best regards,
>>
>>  G.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190406/799569c9/attachment.html>