<div dir="ltr"><div dir="ltr">But in our setup SSL termination is implemented on a HAproxy node ...</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 6, 2019 at 8:52 AM Massimo Sgaravatto <<a href="mailto:massimo.sgaravatto@gmail.com">massimo.sgaravatto@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>My OpenStack ec2 configuration is a real mess, but ec2 is working with SSL. I have the following settings concerning SSL:</div><div><br></div><div><br></div><div>[DEFAULT]</div><div dir="ltr">ssl_ca_file = <cert-file><br></div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">[keystone_authtoken]</div><div>cafile = <cert-file><br></div></div><div dir="ltr"><br></div><div dir="ltr">[metadata]<br></div><div dir="ltr">auth_ca_cert = <cert-file><br></div><div dir="ltr"><br></div><div>Very likely they aren't all needed ...</div><div dir="ltr"><br></div><div dir="ltr"><br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 6, 2019 at 1:37 AM Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr" target="_blank">giorgis@acmac.uoc.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Dear all,<br>
<br>
I am trying to setup ec2-api with SSL support on Rocky and no matter <br>
what I do I am getting the following error in the logs <br>
(/var/log/messages)<br>
<br>
ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure <br>
(_ssl.c:1822)<br>
<br>
and in the end<br>
<br>
ec2-api: SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did <br>
not return a certificate (_ssl.c:1822)<br>
<br>
The full trace can be found here: <a href="https://pastebin.com/iPHXudag" rel="noreferrer" target="_blank">https://pastebin.com/iPHXudag</a> (where <br>
I have hidden the hostname)<br>
<br>
What I have done is that in "ec2api.conf" I have set the ca_file, <br>
cert_file and key_file pointing to the same files that Openstack's <br>
Dashboard is using which can be accessed without a problem.<br>
<br>
Afterwards I have restarted all ec2 services meaning both the <br>
"openstack-ec2-api-metadata.service" and "openstack-ec2-api.service".<br>
<br>
Using openssl cli and trying to connect to port 8788 I am seeing <br>
somewhere in the middle the error:<br>
SSL_connect:SSLv3 write client key exchange A write to 0x26c3e30 <br>
[0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in <br>
SSLv3 write finished A<br>
SSL_connect:error in SSLv3 write finished A<br>
write:errno=32<br>
<br>
The same openssl cli for port 443 (dashboard) works out of the box <br>
without a problem<br>
<br>
Obviously the cert is not served properly but cannot figure out why...<br>
<br>
Needless to say that I have tripled checked for any spelling mistakes, <br>
permissions etc. but I am open to suggestions.<br>
<br>
I have set ec2api to "Debug" mode but there isn't anything useful in <br>
the logs and in fact is not writing anything except a line like the one <br>
below when trying to access it:<br>
<br>
2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-] (211954) <br>
accepted ('xxx.xxx.xxx.xxx', 60154) server <br>
/usr/lib/python2.7/site-packages/eventlet/wsgi.py:883<br>
<br>
Can someone shed some light please?<br>
<br>
If there is anything that you would like me to share with you like the <br>
openssl CLI's output or the ec2api.log please let me know.<br>
<br>
Best regards,<br>
<br>
G.<br>
<br>
</blockquote></div>
</blockquote></div></div>