[ec2api] SSL Problem

Georgios Dimitrakakis giorgis at acmac.uoc.gr
Sat Apr 6 12:29:31 UTC 2019

 Your setup is different than mine since the SSL termination is taking 
 place on HAproxy, so not really EC2 affected.

 Thankfully I have found out the solution.

 In ec2api.conf there is a parameter called "ssl_ca_file" which as 
 described in its explanation is used to verify connecting clients.
 My misunderstanding, probably because of what is required in general 
 and because I didn't read it carefully, was that this will be used for 
 the intermediate certificate when obviously this is not the case.

 So I had to leave this option to "None" (as its default) and fill only 
 the "ssl_cert_file" and "ssl_key_file" parameters. The intermediate 
 certificate has to be bundled (included) though in the "ssl_cert_file" 
 for "awscli" to work.

 To sum up one has to create a "ssl_cert_file" from both his/hers 
 "Signed Certificate" and "Intermediate Certificate".
 Use this in the "ssl_cert_file" parameter and set in the "ssl_key_file" 
 parameter the respective key.
 Leave the "ssl_ca_file" empty and this solves the problem.

 Hope someone finds the above useful.
 I only wish I had read more carefully from the beginning the 
 "ssl_ca_file" description...

 Best regards,


> But in our setup SSL termination is implemented on a HAproxy node ...
> On Sat, Apr 6, 2019 at 8:52 AM Massimo Sgaravatto  wrote:
>> My OpenStack ec2 configuration is a real mess, but ec2 is working
>> with SSL. I have the following settings concerning SSL:
>> ssl_ca_file =
>> [keystone_authtoken]
>> cafile =
>> [metadata]
>> auth_ca_cert =
>> Very likely they arent all needed ...
>> On Sat, Apr 6, 2019 at 1:37 AM Georgios Dimitrakakis wrote:
>>>  Dear all,
>>>  I am trying to setup ec2-api with SSL support on Rocky and no
>>> matter
>>>  what I do I am getting the following error in the logs
>>>  (/var/log/messages)
>>>  ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
>>> failure
>>>  (_ssl.c:1822)
>>>  and in the end
>>> peer did
>>>  not return a certificate (_ssl.c:1822)
>>>  The full trace can be found here: https://pastebin.com/iPHXudag
>>> [1] (where
>>>  I have hidden the hostname)
>>>  What I have done is that in "ec2api.conf" I have set the
>>> ca_file,
>>>  cert_file and key_file pointing to the same files that
>>> Openstacks
>>>  Dashboard is using which can be accessed without a problem.
>>>  Afterwards I have restarted all ec2 services meaning both the
>>>  "openstack-ec2-api-metadata.service" and
>>> "openstack-ec2-api.service".
>>>  Using openssl cli and trying to connect to port 8788 I am
>>> seeing
>>>  somewhere in the middle the error:
>>>  SSL_connect:SSLv3 write client key exchange A write to
>>> 0x26c3e30
>>>  [0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
>>> SSL_connect:error in
>>>  SSLv3 write finished A
>>>  SSL_connect:error in SSLv3 write finished A
>>>  write:errno=32
>>>  The same openssl cli for port 443 (dashboard) works out of the
>>> box
>>>  without a problem
>>>  Obviously the cert is not served properly but cannot figure out
>>> why...
>>>  Needless to say that I have tripled checked for any spelling
>>> mistakes,
>>>  permissions etc. but I am open to suggestions.
>>>  I have set ec2api to "Debug" mode but there isnt anything
>>> useful in
>>>  the logs and in fact is not writing anything except a line like
>>> the one
>>>  below when trying to access it:
>>>  2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-]
>>> (211954)
>>>  accepted (xxx.xxx.xxx.xxx, 60154) server
>>>  /usr/lib/python2.7/site-packages/eventlet/wsgi.py:883
>>>  Can someone shed some light please?
>>>  If there is anything that you would like me to share with you
>>> like the
>>>  openssl CLIs output or the ec2api.log please let me know.
>>>  Best regards,
>>>  G.
> Links:
> ------
> [1] https://pastebin.com/iPHXudag
> [2] mailto:giorgis at acmac.uoc.gr
> [3] mailto:massimo.sgaravatto at gmail.com

More information about the openstack-discuss mailing list