Open Stack

Ok I finally resolved my issue, 
I have two instances of nova-cert running on my HA controllers, I created a new nova-cert primitive, restarted the cloudpipe instance, now the openvpn works

Regards,
Razique Mahroua - Nuage & Co
razique.mahroua at gmail.com
Tel : +33 9 72 37 94 15



Début du message réexpédié :

> De : Razique Mahroua <razique.mahroua at gmail.com>
> Objet : Issues with nova x-509-
> Date : 5 mars 2013 15:03:04 UTC+01:00
> À : "openstack at lists.launchpad.net OpenStack" <openstack at lists.launchpad.net>
> 
> Hi, 
> I'm facing a issue with cloudpipe that is driving me crazy. My cloudpipe vpn keys used to work for a tenant, but for one another, (regular) it doesn't work.
> I basically create a certificate : 
> $ nova x509-create-cert
> Wrote private key to pk.pem
> Wrote x509 certificate to cert.pem
> 
> $ nova x509-get-root-cert
> Wrote x509 root cert to cacert.pem
> 
> now if I verify both cert. and private key, they match  : 
> $ openssl x509 -noout -modulus -in cert.pem | openssl md5
> (stdin)= 93259863d334911d55be20db96709e66
> 
> $ openssl rsa -noout -modulus -in pk.key | openssl md5
> (stdin)= 93259863d334911d55be20db96709e66
> 
> but if I want to verify the CA against the cert, then it doesn't match  :
> $ openssl verify -CAfile cacert.pem cert.pem
> cert.pem: C = US, ST = California, O = OpenStack, OU = NovaDev, CN = 9b1ed48626fa46b7-2c3d0e28ec564cbe-2013-03-05T13:49:04Z
> error 7 at 0 depth lookup:certificate signature failure
> 140284857550496:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
> 140284857550496:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721:
> 140284857550496:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:221:
> 
> Thus I obtain the following errors in openvpn : 
> http://paste.openstack.org/show/32787/
> 
> If I verify the CA against the certs located in /var/lib/nova/CA/projects/ it works : 
> openssl verify -CAfile /var/lib/nova/CA/projects/$project-Id/cacert.pem  /var/lib/nova/CA/projects/$project-Id/newcerts/14.pem
> /var/lib/nova/CA/projects/9b1ed48626fa46b7b81f21ef21979069/newcerts/14.pem: OK
> 
> and the md5 seems good as well :
> $ openssl x509 -noout -modulus -in /var/lib/nova/CA/projects/$project-id/newcerts/14.pem  | openssl md5
> 
> But if I chose that certificate, I have the same errors...
> 
> Is there any way to reset all the tenants CA, and clean a bit ?(the nova certificates tables references files that are missing (/var/lib/nova/CA/projects/9b1ed48626fa46b7b81f21ef21979069/newcerts/17.pem is an entry while the file doesn't exist)
> Best regards,
> Razique
> 
> Razique Mahroua - Nuage & Co
> razique.mahroua at gmail.com
> Tel : +33 9 72 37 94 15
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130305/128e9338/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NUAGECO-LOGO-Fblan_petit.jpg
Type: image/jpeg
Size: 10122 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130305/128e9338/attachment.jpg>