Your setup is different than mine since the SSL termination is taking place on HAproxy, so not really EC2 affected. Thankfully I have found out the solution. In ec2api.conf there is a parameter called "ssl_ca_file" which as described in its explanation is used to verify connecting clients. My misunderstanding, probably because of what is required in general and because I didn't read it carefully, was that this will be used for the intermediate certificate when obviously this is not the case. So I had to leave this option to "None" (as its default) and fill only the "ssl_cert_file" and "ssl_key_file" parameters. The intermediate certificate has to be bundled (included) though in the "ssl_cert_file" for "awscli" to work. To sum up one has to create a "ssl_cert_file" from both his/hers "Signed Certificate" and "Intermediate Certificate". Use this in the "ssl_cert_file" parameter and set in the "ssl_key_file" parameter the respective key. Leave the "ssl_ca_file" empty and this solves the problem. Hope someone finds the above useful. I only wish I had read more carefully from the beginning the "ssl_ca_file" description... Best regards, G.
But in our setup SSL termination is implemented on a HAproxy node ...
On Sat, Apr 6, 2019 at 8:52 AM Massimo Sgaravatto wrote:
My OpenStack ec2 configuration is a real mess, but ec2 is working with SSL. I have the following settings concerning SSL:
[DEFAULT] ssl_ca_file =
[keystone_authtoken] cafile =
[metadata]
auth_ca_cert =
Very likely they arent all needed ...
On Sat, Apr 6, 2019 at 1:37 AM Georgios Dimitrakakis wrote:
Dear all,
I am trying to setup ec2-api with SSL support on Rocky and no matter what I do I am getting the following error in the logs (/var/log/messages)
ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)
and in the end
ec2-api: SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did not return a certificate (_ssl.c:1822)
The full trace can be found here: https://pastebin.com/iPHXudag [1] (where I have hidden the hostname)
What I have done is that in "ec2api.conf" I have set the ca_file, cert_file and key_file pointing to the same files that Openstacks Dashboard is using which can be accessed without a problem.
Afterwards I have restarted all ec2 services meaning both the "openstack-ec2-api-metadata.service" and "openstack-ec2-api.service".
Using openssl cli and trying to connect to port 8788 I am seeing somewhere in the middle the error: SSL_connect:SSLv3 write client key exchange A write to 0x26c3e30 [0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in SSLv3 write finished A SSL_connect:error in SSLv3 write finished A write:errno=32
The same openssl cli for port 443 (dashboard) works out of the box without a problem
Obviously the cert is not served properly but cannot figure out why...
Needless to say that I have tripled checked for any spelling mistakes, permissions etc. but I am open to suggestions.
I have set ec2api to "Debug" mode but there isnt anything useful in the logs and in fact is not writing anything except a line like the one below when trying to access it:
2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-] (211954) accepted (xxx.xxx.xxx.xxx, 60154) server /usr/lib/python2.7/site-packages/eventlet/wsgi.py:883
Can someone shed some light please?
If there is anything that you would like me to share with you like the openssl CLIs output or the ec2api.log please let me know.
Best regards,
G.
Links: ------ [1] https://pastebin.com/iPHXudag [2] mailto:giorgis@acmac.uoc.gr [3] mailto:massimo.sgaravatto@gmail.com