[ec2api] SSL Problem

Georgios Dimitrakakis giorgis at acmac.uoc.gr
Fri Apr 5 23:32:26 UTC 2019


 Dear all,

 I am trying to setup ec2-api with SSL support on Rocky and no matter 
 what I do I am getting the following error in the logs 
 (/var/log/messages)

 ec2-api: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure 
 (_ssl.c:1822)

 and in the end

 ec2-api: SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did 
 not return a certificate (_ssl.c:1822)

 The full trace can be found here: https://pastebin.com/iPHXudag (where 
 I have hidden the hostname)

 What I have done is that in "ec2api.conf" I have set the ca_file, 
 cert_file and key_file pointing to the same files that Openstack's 
 Dashboard is using which can be accessed without a problem.

 Afterwards I have restarted all ec2 services meaning both the 
 "openstack-ec2-api-metadata.service" and "openstack-ec2-api.service".
 
 Using openssl cli and trying to connect to port 8788 I am seeing 
 somewhere in the middle the error:
 SSL_connect:SSLv3 write client key exchange A write to 0x26c3e30 
 [0x2721290] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in 
 SSLv3 write finished A
 SSL_connect:error in SSLv3 write finished A
 write:errno=32

 The same openssl cli for port 443 (dashboard) works out of the box 
 without a problem

 Obviously the cert is not served properly but cannot figure out why...

 Needless to say that I have tripled checked for any spelling mistakes, 
 permissions etc. but I am open to suggestions.

 I have set ec2api to "Debug" mode but there isn't anything useful in 
 the logs and in fact is not writing anything except a line like the one 
 below when trying to access it:

 2019-04-06 01:25:03.805 211954 DEBUG ec2api.wsgi.server [-] (211954) 
 accepted ('xxx.xxx.xxx.xxx', 60154) server 
 /usr/lib/python2.7/site-packages/eventlet/wsgi.py:883

 Can someone shed some light please?

 If there is anything that you would like me to share with you like the 
 openssl CLI's output or the ec2api.log please let me know.

 Best regards,

 G.



More information about the openstack-discuss mailing list