[ovs-discuss] ovsdb-client connected error when i update the ovsdb-server ca_cert.pem file

Liuyongqiang (A) liu.liuyongqiang at huawei.com
Fri Sep 25 04:03:19 UTC 2015 

Hi, all
There is a probability error when I update the ovsdb-server ca_cert.pem file, the ovsdb-client was unable to connect to the ovsdb-server when it hanppened, the OVS version is 2.0.2.

the update action steps on server:
step1: rm ca_cert.pem
step2: openssl x509 -inform PEM -in ca_cert.pem > /home/ca_cert.pem

I have found the direct cause is concurrency write-read file issues, the ovsdb-server probably read the wrong certificate from ca_cert.pem file, but this error is unrecoverable, it need to restart OVS to fix,
did someone know about this problem?

The ovsdb-client connected error like this:

ERROR1:
# ovsdb-client -v -p /home/oam-network-agent_private_key.pem -c oam-network-agent_crt.pem -C /home/oam-network-agent_ca_crt.pem get-schema ssl:9.42.3.9:6632 Open_vSwitch
2015-09-25T10:54:36Z|00001|stream_ssl|INFO|Trusting CA cert from /home/oam-network-agent_ca_crt.pem (/C=CN/ST=ZheJiang/O=Huawei/OU=Huawei/CN=*.*.*.domainname.com) (fingerprint 22:a3:49:97:e1:44:ab:fb:96:29:60:ab:b8:fc:69:8b:7d:af:6c:6e)
2015-09-25T10:54:36Z|00002|poll_loop|DBG|wakeup due to 0-ms timeout
2015-09-25T10:54:36Z|00003|poll_loop|DBG|wakeup due to [POLLOUT] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:716
2015-09-25T10:54:36Z|00004|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: client_hello (85 bytes)
2015-09-25T10:54:36Z|00005|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00006|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: server_hello (53 bytes)
2015-09-25T10:54:36Z|00007|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: certificate (1944 bytes)
2015-09-25T10:54:36Z|00008|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00009|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00010|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00011|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00012|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00013|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00014|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00015|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00016|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00017|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00048|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: certificate_request (65559 bytes)
2015-09-25T10:54:36Z|00049|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 alert: fatal, decode_error (2 bytes)
2015-09-25T10:54:36Z|00050|stream_ssl|WARN|SSL_connect: error:1408709F:SSL routines:SSL3_GET_CERTIFICATE_REQUEST:length mismatch
ovsdb-client: failed to connect to "ssl:9.42.3.9:6632" (Protocol error)

ERROR2:
# ovsdb-client -v -p /home/oam-network-agent_private_key.pem -c oam-network-agent_crt.pem -C /home/oam-network-agent_ca_crt.pem get-schema ssl:9.42.3.9:6632 Open_vSwitch
2015-09-25T11:01:06Z|00001|stream_ssl|INFO|Trusting CA cert from /home/oam-network-agent_ca_crt.pem (/C=CN/ST=ZheJiang/O=Huawei/OU=Huawei/CN=*.*.*.domainname.com) (fingerprint 22:a3:49:97:e1:44:ab:fb:96:29:60:ab:b8:fc:69:8b:7d:af:6c:6e)
2015-09-25T11:01:06Z|00002|poll_loop|DBG|wakeup due to 0-ms timeout
2015-09-25T11:01:06Z|00003|poll_loop|DBG|wakeup due to [POLLOUT] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:716
2015-09-25T11:01:06Z|00004|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: client_hello (85 bytes)
2015-09-25T11:01:06Z|00005|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T11:01:06Z|00006|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: server_hello (53 bytes)
2015-09-25T11:01:06Z|00007|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: certificate (985 bytes)
2015-09-25T11:01:06Z|00008|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T11:01:06Z|00009|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T11:01:06Z|00010|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T11:01:06Z|00011|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: certificate_request (11019 bytes)
2015-09-25T11:01:06Z|00012|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 handshake: server_hello_done (4 bytes)
2015-09-25T11:01:06Z|00013|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: certificate (1944 bytes)
2015-09-25T11:01:06Z|00014|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: client_key_exchange (262 bytes)
2015-09-25T11:01:06Z|00015|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: certificate_verify (262 bytes)
2015-09-25T11:01:06Z|00016|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 change_cipher_spec (1 bytes)
2015-09-25T11:01:06Z|00017|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 handshake: finished (16 bytes)
2015-09-25T11:01:06Z|00018|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 (9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T11:01:06Z|00019|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 alert: fatal, unknown_ca (2 bytes)
2015-09-25T11:01:06Z|00020|stream_ssl|WARN|SSL_connect: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
ovsdb-client: failed to connect to "ssl:9.42.3.9:6632" (Protocol error)


the ovsdb-server log will print warning like this:

ERROR1:
2015-09-25T11:05:15.633Z|02941|stream_ssl|WARN|SSL_accept: error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error
2015-09-25T11:05:15.633Z|02942|jsonrpc|WARN|ssl:9.62.243.149:54187: receive error: Protocol error
2015-09-25T11:05:15.634Z|02943|reconnect|WARN|ssl:9.62.243.149:54187: connection dropped (Protocol error)

ERROR2:
2015-09-25T11:11:37.494Z|00449|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2015-09-25T11:11:37.494Z|00450|jsonrpc|WARN|ssl:9.62.243.149:54289: receive error: Protocol error
2015-09-25T11:11:37.494Z|00451|reconnect|WARN|ssl:9.62.243.149:54289: connection dropped (Protocol error)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150925/7bad8cdd/attachment-0002.html>

More information about the discuss mailing list