[ovs-discuss] SSL setup issue with OVN
Satish Patel
satish.txt at gmail.com
Fri Nov 19 05:27:41 UTC 2021
Folks,
Reference doc: https://github.com/ovn-org/ovn-kubernetes/blob/master/docs/INSTALL.SSL.md
I am getting the following error in ovn-controller logs and not sure
how to debug to get more details.
2021-11-19T04:59:35.502Z|00014|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T04:59:35.502Z|00015|reconnect|INFO|ssl:10.62.7.252:6642:
connection attempt failed (Protocol error)
2021-11-19T04:59:35.502Z|00016|reconnect|INFO|ssl:10.62.7.252:6642:
waiting 4 seconds before reconnect
2021-11-19T05:12:12.355Z|00114|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T05:12:20.363Z|00115|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T05:12:28.371Z|00116|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T05:12:36.381Z|00117|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T05:12:44.390Z|00118|stream_ssl|WARN|SSL_connect: system
error (Success)
2021-11-19T05:12:52.395Z|00119|stream_ssl|WARN|SSL_connect: system
error (Success)
I have doubts on CN common name of SSL cert which does not match my
case with ovs hostname. In ovn-controller certificate i have
"DNS:ovn-lab-comp-gen-1 id:4bbe9550-733f-414b-8602-ff97b4bd6780".
But on ovs i have external_ids :
{hostname=ovn-lab-comp-gen-1.example.net,
I have used ovs-pki to generate all certificate
This is what my config looks like
On Master node (my ovn-northd server running on NB/SB central
services, i have following certs setup)
root at ovn-lab-infra-1-neutron-ovn-northd-container-cb55f5ef:~# ovn-nbctl get-ssl
Private key: /etc/openvswitch/ovncert/ovnnb-privkey.pem
Certificate: /etc/openvswitch/ovncert/ovnnb-cert.pem
CA Certificate: /etc/openvswitch/cacert.pem
Bootstrap: false
root at ovn-lab-infra-1-neutron-ovn-northd-container-cb55f5ef:~# ovn-sbctl get-ssl
Private key: /etc/openvswitch/ovncert/ovnsb-privkey.pem
Certificate: /etc/openvswitch/ovncert/ovnsb-cert.pem
CA Certificate: /etc/openvswitch/cacert.pem
Bootstrap: false
Here is my connection info which is set to pssl
root at ovn-lab-infra-1-neutron-ovn-northd-container-cb55f5ef:~#
ovn-nbctl get-connection
pssl:6641
root at ovn-lab-infra-1-neutron-ovn-northd-container-cb55f5ef:~#
ovn-sbctl get-connection
read-write role="" ptcp:6642
On my compute nodes (ovn-controller)
root at ovn-lab-comp-gen-1:~# ovs-vsctl get-ssl
Private key: /etc/openvswitch/ovncert/ovn-lab-comp-gen-1-privkey.pem
Certificate: /etc/openvswitch/ovncert/ovn-lab-comp-gen-1-cert.pem
CA Certificate: /etc/openvswitch/cacert.pem
Bootstrap: false
File: /etc/default/ovn-host
OVN_CTL_OPTS="--ovn-controller-ssl-key=/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-privkey.pem
--ovn-controller-ssl-cert=/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-cert.pem
--ovn-controller-ssl-ca-cert=/etc/openvswitch/cacert.pem"
File: /etc/neutron/plugins/ml2/ml2_conf.ini
[ovn]
ovn_native_dhcp = True
ovn_nb_connection = ssl:10.62.7.252:6641
ovn_sb_connection = ssl:10.62.7.252:6642
ovn_l3_scheduler = leastloaded
ovn_metadata_enabled = True
ovn_sb_ca_cert="/etc/openvswitch/cacert.pem"
ovn_sb_certificate="/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-cert.pem"
ovn_sb_private_key="/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-privkey.pem"
ovn_nb_ca_cert="/etc/openvswitch/cacert.pem"
ovn_nb_certificate="/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-cert.pem"
ovn_nb_private_key="/etc/openvswitch/ovncert/ovn-lab-comp-gen-1-privkey.pem"
More information about the discuss
mailing list