[ovs-discuss] ovs-vsctl set-controller fails with test-controller using SSL.

Arun Sharma arun.sharma at calsoftinc.com
Fri Dec 6 12:02:04 UTC 2013


It seems you have to pass switch CA certificate
"--ca-cert=Š/switchca/cacert.pem" while starting test-controller.

Arun

From:  Kelvin keros <kelvin.keros at gmail.com>
Date:  Thu, 5 Dec 2013 19:51:19 +0530
To:  <discuss at openvswitch.org>
Subject:  [ovs-discuss] ovs-vsctl set-controller fails with test-controller
using SSL.

Hi OVS Team,

I was trying to use test-controller with a OVS switch with SSL but found
below errors when set-controller is executed.

# ovs-vsctl set-controller br6 ssl:192.168.188.155:6633
<http://192.168.188.155:6633>

On: ovs-vswitchd.log

------------------------------------

2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connecting...

2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca



On ovs-controller.log

---------------------------------------

2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error





Note: test-controller, PKI structure, ovs-vswitchd, ovsdb-server are all
present or running on same box.



----------------- Done PKI configuration as below-----------------------

Configure PKI (Refer - INSTALL.SSL)

# ovs-pki --force init

# ls /usr/local/var/lib/openvswitch/pki/

# ovs-pki req+sign ctl controller

  ctl-req.pem Wed Dec  4 22:31:24 PST 2013

fingerprint 32ed2112bf73beae3b43b105e02c18f5ac308382

# ls *.pem

ctl-cert.pem  ctl-privkey.pem  ctl-req.pem



# ovs-pki req+sign sc switch

sc-req.pem Wed Dec  4 22:31:49 PST 2013

fingerprint b3de3da68bd4372ff255c9d6e99fcae445e902ee



# ls *.pem

ctl-cert.pem  ctl-privkey.pem  ctl-req.pem  sc-cert.pem  sc-privkey.pem
sc-req.pem



# pwd

/root/work/openvswitch-web



# cp /usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem .



# ls *.pem

cacert.pem    ctl-privkey.pem  sc-cert.pem     sc-req.pem

ctl-cert.pem  ctl-req.pem      sc-privkey.pem



-------END----------------- PKI configuration -----------------------



# cd openvswitch-web/

# ./boot.sh

# ./configure --with-linux=/lib/modules/`uname -r`/build

# make

# make check

# make modules_install

# modprobe openvswitch

# lsmod | grep openvswitch

openvswitch            81016  0

gre                    12989  1 openvswitch

libcrc32c              12644  1 openvswitch

# ovsdb-tool create /usr/local/etc/openvswitch/conf.db
vswitchd/vswitch.ovsschema

# ovs-vsctl -- --bootstrap set-ssl /root/work/openvswitch-web/sc-privkey.pem
/root/work/openvswitch-web/sc-cert.pem /root/work/openvswitch-web/cacert.pem



# ovs-vsctl get-ssl

Private key: /root/work/openvswitch-web/sc-privkey.pem

Certificate: /root/work/openvswitch-web/sc-cert.pem

CA Certificate: /root/work/openvswitch-web/cacert.pem

Bootstrap: true

# pwd

/root/work/openvswitch-web

# ./tests/test-controller  pssl:
--private-key=/root/work/openvswitch-web/ctl-privkey.pem
--certificate=/root/work/openvswitch-web/ctl-cert.pem
--ca-cert=/root/work/openvswitch-web/cacert.pem --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-controller.log

2013-12-05T06:36:41Z|00001|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)

2013-12-05T06:36:41Z|00002|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovs-controller.log



# netstat -na | grep 6633

tcp        0      0 0.0.0.0:6633 <http://0.0.0.0:6633>             0.0.0.0:*
LISTEN   



# ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock
--remote=db:Open_vSwitch,Open_vSwitch,manager_options
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovsdb-server.log

2013-12-05T07:06:28Z|00001|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovsdb-server.log

2013-12-05T07:06:28Z|00002|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)



# ovs-vswitchd --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log

2013-12-05T07:04:41Z|00001|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovs-vswitchd.log

2013-12-05T07:04:41Z|00002|reconnect|INFO|unix:/usr/local/var/run/openvswitc
h/db.sock: connecting...

2013-12-05T07:04:41Z|00003|reconnect|INFO|unix:/usr/local/var/run/openvswitc
h/db.sock: connected

2013-12-05T07:04:41Z|00004|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)

# ps -ef | grep -i ovsdb-server

root     12463     1  0 02:05 ?        00:00:00 ./ovsdb/ovsdb-server
--remote=punix:/usr/local/var/run/openvswitch/db.sock
--remote=db:Open_vSwitch,Open_vSwitch,manager_options
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovsdb-server.log



# ps -ef | grep -i ovs-vswitch

root     12518     1  0 02:08 ?        00:00:05 ./vswitchd/ovs-vswitchd
--pidfile --detach 
--log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log



# ps -ef | grep -i controller

root     14328     1 86 03:30 ?        00:00:19 ./tests/test-controller
pssl: --private-key=/root/work/openvswitch-web/ctl-privkey.pem
--certificate=/root/work/openvswitch-web/ctl-cert.pem
--ca-cert=/usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem
--pidfile --detach 
--log-file=/usr/local/var/log/openvswitch/ovs-controller.log



# ovs-vsctl add-br br5

# ovs-vsctl list-br

br5

# ovs-vsctl set-controller br6 ssl:192.168.188.155:6633
<http://192.168.188.155:6633>



<<<<<<<<<<<<<<< After this things fails >>>>>>>>>>>>>>>> See logs details
below.





--------------- ovs-controller.log ---------------------



2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error

2013-12-05T10:13:43.248Z|00023|poll_loop|INFO|Dropped 1127619 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:13:43.249Z|00024|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (89% CPU usage)

2013-12-05T10:13:49.248Z|00025|poll_loop|INFO|Dropped 1037872 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:13:49.249Z|00026|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (88% CPU usage)

2013-12-05T10:13:50.534Z|00027|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:13:55.248Z|00028|poll_loop|INFO|Dropped 1028819 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:13:55.249Z|00029|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (91% CPU usage)

2013-12-05T10:13:58.535Z|00030|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:13:58.536Z|00031|vconn_stream|ERR|send: Protocol error

2013-12-05T10:14:01.248Z|00032|poll_loop|INFO|Dropped 908512 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:14:01.249Z|00033|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (91% CPU usage)

2013-12-05T10:14:06.534Z|00034|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:14:06.534Z|00035|vconn_stream|ERR|send: Protocol error

2013-12-05T10:14:07.248Z|00036|poll_loop|INFO|Dropped 908099 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:14:07.249Z|00037|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (92% CPU usage)

2013-12-05T10:14:13.250Z|00038|poll_loop|INFO|Dropped 931759 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:14:13.250Z|00039|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (93% CPU usage)

2013-12-05T10:14:14.529Z|00040|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned

2013-12-05T10:14:19.248Z|00041|poll_loop|INFO|Dropped 901975 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate

2013-12-05T10:14:19.249Z|00042|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (94% CPU usage)



-----------------ovs-vswitchd.log -----------

2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connecting...

2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

2013-12-05T10:13:34.534Z|00083|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connection failed (Protocol error)

2013-12-05T10:13:34.534Z|00084|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : continuing to retry connections in the
background but suppressing further logging

2013-12-05T10:13:42.518Z|00085|fail_open|WARN|Could not connect to
controller (or switch failed controller's post-connection admission control
policy) for 15 seconds, failing open

2013-12-05T10:13:42.535Z|00086|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

2013-12-05T10:13:50.544Z|00087|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

--------------------



What is going wrong here?

Also, man page of ovs-vsctl in "set-controller bridge target..." says to
pass --private-key, --certificate, and --ca-cert while executing
set-controller but it does not says which certificate to pass (controllerca
or switchca).

Also refered INSTALL.SSL

~ Kelvin
_______________________________________________ discuss mailing list
discuss at openvswitch.org http://openvswitch.org/mailman/listinfo/discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20131206/0e045599/attachment.html>


More information about the discuss mailing list