[ec2api] SSL Problem
giorgis at acmac.uoc.gr
Sat Apr 6 12:29:31 UTC 2019
Your setup is different than mine since the SSL termination is taking
place on HAproxy, so not really EC2 affected.
Thankfully I have found out the solution.
In ec2api.conf there is a parameter called "ssl_ca_file" which as
described in its explanation is used to verify connecting clients.
My misunderstanding, probably because of what is required in general
and because I didn't read it carefully, was that this will be used for
the intermediate certificate when obviously this is not the case.
So I had to leave this option to "None" (as its default) and fill only
the "ssl_cert_file" and "ssl_key_file" parameters. The intermediate
certificate has to be bundled (included) though in the "ssl_cert_file"
for "awscli" to work.
To sum up one has to create a "ssl_cert_file" from both his/hers
"Signed Certificate" and "Intermediate Certificate".
Use this in the "ssl_cert_file" parameter and set in the "ssl_key_file"
parameter the respective key.
Leave the "ssl_ca_file" empty and this solves the problem.
Hope someone finds the above useful.
I only wish I had read more carefully from the beginning the
> But in our setup SSL termination is implemented on a HAproxy node ...
> On Sat, Apr 6, 2019 at 8:52 AM Massimo Sgaravatto wrote:
>> My OpenStack ec2 configuration is a real mess, but ec2 is working
>> with SSL. I have the following settings concerning SSL:
>> ssl_ca_file =
>> cafile =
>> auth_ca_cert =
>> Very likely they arent all needed ...
>> On Sat, Apr 6, 2019 at 1:37 AM Georgios Dimitrakakis wrote:
>>> Dear all,
>>> I am trying to setup ec2-api with SSL support on Rocky and no
>>> what I do I am getting the following error in the logs
>>> ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
>>> and in the end
>>> ec2-api: SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE]
>>> peer did
>>> not return a certificate (_ssl.c:1822)
>>> The full trace can be found here: https://pastebin.com/iPHXudag
>>>  (where
>>> I have hidden the hostname)
>>> What I have done is that in "ec2api.conf" I have set the
>>> cert_file and key_file pointing to the same files that
>>> Dashboard is using which can be accessed without a problem.
>>> Afterwards I have restarted all ec2 services meaning both the
>>> "openstack-ec2-api-metadata.service" and
>>> Using openssl cli and trying to connect to port 8788 I am
>>> somewhere in the middle the error:
>>> SSL_connect:SSLv3 write client key exchange A write to
>>> [0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
>>> SSL_connect:error in
>>> SSLv3 write finished A
>>> SSL_connect:error in SSLv3 write finished A
>>> The same openssl cli for port 443 (dashboard) works out of the
>>> without a problem
>>> Obviously the cert is not served properly but cannot figure out
>>> Needless to say that I have tripled checked for any spelling
>>> permissions etc. but I am open to suggestions.
>>> I have set ec2api to "Debug" mode but there isnt anything
>>> useful in
>>> the logs and in fact is not writing anything except a line like
>>> the one
>>> below when trying to access it:
>>> 2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-]
>>> accepted (xxx.xxx.xxx.xxx, 60154) server
>>> Can someone shed some light please?
>>> If there is anything that you would like me to share with you
>>> like the
>>> openssl CLIs output or the ec2api.log please let me know.
>>> Best regards,
>  https://pastebin.com/iPHXudag
>  mailto:giorgis at acmac.uoc.gr
>  mailto:massimo.sgaravatto at gmail.com
More information about the openstack-discuss