[ovs-discuss] ovs-vsctl set-controller fails with test-controller using SSL.
Arun Sharma
arun.sharma at calsoftinc.com
Fri Dec 6 12:02:04 UTC 2013
It seems you have to pass switch CA certificate
"--ca-cert=/switchca/cacert.pem" while starting test-controller.
Arun
From: Kelvin keros <kelvin.keros at gmail.com>
Date: Thu, 5 Dec 2013 19:51:19 +0530
To: <discuss at openvswitch.org>
Subject: [ovs-discuss] ovs-vsctl set-controller fails with test-controller
using SSL.
Hi OVS Team,
I was trying to use test-controller with a OVS switch with SSL but found
below errors when set-controller is executed.
# ovs-vsctl set-controller br6 ssl:192.168.188.155:6633
<http://192.168.188.155:6633>
On: ovs-vswitchd.log
------------------------------------
2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connecting...
2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
On ovs-controller.log
---------------------------------------
2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error
Note: test-controller, PKI structure, ovs-vswitchd, ovsdb-server are all
present or running on same box.
----------------- Done PKI configuration as below-----------------------
Configure PKI (Refer - INSTALL.SSL)
# ovs-pki --force init
# ls /usr/local/var/lib/openvswitch/pki/
# ovs-pki req+sign ctl controller
ctl-req.pem Wed Dec 4 22:31:24 PST 2013
fingerprint 32ed2112bf73beae3b43b105e02c18f5ac308382
# ls *.pem
ctl-cert.pem ctl-privkey.pem ctl-req.pem
# ovs-pki req+sign sc switch
sc-req.pem Wed Dec 4 22:31:49 PST 2013
fingerprint b3de3da68bd4372ff255c9d6e99fcae445e902ee
# ls *.pem
ctl-cert.pem ctl-privkey.pem ctl-req.pem sc-cert.pem sc-privkey.pem
sc-req.pem
# pwd
/root/work/openvswitch-web
# cp /usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem .
# ls *.pem
cacert.pem ctl-privkey.pem sc-cert.pem sc-req.pem
ctl-cert.pem ctl-req.pem sc-privkey.pem
-------END----------------- PKI configuration -----------------------
# cd openvswitch-web/
# ./boot.sh
# ./configure --with-linux=/lib/modules/`uname -r`/build
# make
# make check
# make modules_install
# modprobe openvswitch
# lsmod | grep openvswitch
openvswitch 81016 0
gre 12989 1 openvswitch
libcrc32c 12644 1 openvswitch
# ovsdb-tool create /usr/local/etc/openvswitch/conf.db
vswitchd/vswitch.ovsschema
# ovs-vsctl -- --bootstrap set-ssl /root/work/openvswitch-web/sc-privkey.pem
/root/work/openvswitch-web/sc-cert.pem /root/work/openvswitch-web/cacert.pem
# ovs-vsctl get-ssl
Private key: /root/work/openvswitch-web/sc-privkey.pem
Certificate: /root/work/openvswitch-web/sc-cert.pem
CA Certificate: /root/work/openvswitch-web/cacert.pem
Bootstrap: true
# pwd
/root/work/openvswitch-web
# ./tests/test-controller pssl:
--private-key=/root/work/openvswitch-web/ctl-privkey.pem
--certificate=/root/work/openvswitch-web/ctl-cert.pem
--ca-cert=/root/work/openvswitch-web/cacert.pem --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-controller.log
2013-12-05T06:36:41Z|00001|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)
2013-12-05T06:36:41Z|00002|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovs-controller.log
# netstat -na | grep 6633
tcp 0 0 0.0.0.0:6633 <http://0.0.0.0:6633> 0.0.0.0:*
LISTEN
# ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock
--remote=db:Open_vSwitch,Open_vSwitch,manager_options
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovsdb-server.log
2013-12-05T07:06:28Z|00001|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovsdb-server.log
2013-12-05T07:06:28Z|00002|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)
# ovs-vswitchd --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log
2013-12-05T07:04:41Z|00001|vlog|INFO|opened log file
/usr/local/var/log/openvswitch/ovs-vswitchd.log
2013-12-05T07:04:41Z|00002|reconnect|INFO|unix:/usr/local/var/run/openvswitc
h/db.sock: connecting...
2013-12-05T07:04:41Z|00003|reconnect|INFO|unix:/usr/local/var/run/openvswitc
h/db.sock: connected
2013-12-05T07:04:41Z|00004|stream_ssl|INFO|Trusting CA cert from
/root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open
vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04
02:04:59)) (fingerprint
c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1)
# ps -ef | grep -i ovsdb-server
root 12463 1 0 02:05 ? 00:00:00 ./ovsdb/ovsdb-server
--remote=punix:/usr/local/var/run/openvswitch/db.sock
--remote=db:Open_vSwitch,Open_vSwitch,manager_options
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovsdb-server.log
# ps -ef | grep -i ovs-vswitch
root 12518 1 0 02:08 ? 00:00:05 ./vswitchd/ovs-vswitchd
--pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log
# ps -ef | grep -i controller
root 14328 1 86 03:30 ? 00:00:19 ./tests/test-controller
pssl: --private-key=/root/work/openvswitch-web/ctl-privkey.pem
--certificate=/root/work/openvswitch-web/ctl-cert.pem
--ca-cert=/usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem
--pidfile --detach
--log-file=/usr/local/var/log/openvswitch/ovs-controller.log
# ovs-vsctl add-br br5
# ovs-vsctl list-br
br5
# ovs-vsctl set-controller br6 ssl:192.168.188.155:6633
<http://192.168.188.155:6633>
<<<<<<<<<<<<<<< After this things fails >>>>>>>>>>>>>>>> See logs details
below.
--------------- ovs-controller.log ---------------------
2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error
2013-12-05T10:13:43.248Z|00023|poll_loop|INFO|Dropped 1127619 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:13:43.249Z|00024|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (89% CPU usage)
2013-12-05T10:13:49.248Z|00025|poll_loop|INFO|Dropped 1037872 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:13:49.249Z|00026|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (88% CPU usage)
2013-12-05T10:13:50.534Z|00027|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:13:55.248Z|00028|poll_loop|INFO|Dropped 1028819 log messages
in last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:13:55.249Z|00029|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (91% CPU usage)
2013-12-05T10:13:58.535Z|00030|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:13:58.536Z|00031|vconn_stream|ERR|send: Protocol error
2013-12-05T10:14:01.248Z|00032|poll_loop|INFO|Dropped 908512 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:14:01.249Z|00033|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (91% CPU usage)
2013-12-05T10:14:06.534Z|00034|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:14:06.534Z|00035|vconn_stream|ERR|send: Protocol error
2013-12-05T10:14:07.248Z|00036|poll_loop|INFO|Dropped 908099 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:14:07.249Z|00037|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (92% CPU usage)
2013-12-05T10:14:13.250Z|00038|poll_loop|INFO|Dropped 931759 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:14:13.250Z|00039|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (93% CPU usage)
2013-12-05T10:14:14.529Z|00040|stream_ssl|WARN|SSL_accept:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2013-12-05T10:14:19.248Z|00041|poll_loop|INFO|Dropped 901975 log messages in
last 6 seconds (most recently, 0 seconds ago) due to excessive rate
2013-12-05T10:14:19.249Z|00042|poll_loop|INFO|wakeup due to 0-ms timeout at
lib/vconn.c:935 (94% CPU usage)
-----------------ovs-vswitchd.log -----------
2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connecting...
2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-12-05T10:13:34.534Z|00083|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : connection failed (Protocol error)
2013-12-05T10:13:34.534Z|00084|rconn|INFO|br6<->ssl:192.168.188.155:6633
<http://192.168.188.155:6633> : continuing to retry connections in the
background but suppressing further logging
2013-12-05T10:13:42.518Z|00085|fail_open|WARN|Could not connect to
controller (or switch failed controller's post-connection admission control
policy) for 15 seconds, failing open
2013-12-05T10:13:42.535Z|00086|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-12-05T10:13:50.544Z|00087|stream_ssl|WARN|SSL_connect:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
--------------------
What is going wrong here?
Also, man page of ovs-vsctl in "set-controller bridge target..." says to
pass --private-key, --certificate, and --ca-cert while executing
set-controller but it does not says which certificate to pass (controllerca
or switchca).
Also refered INSTALL.SSL
~ Kelvin
_______________________________________________ discuss mailing list
discuss at openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20131206/0e045599/attachment.html>
More information about the discuss
mailing list