[opensuse-cloud] keystone, PKI, openssl
Hello, the current default in keystone to sign tokens is to use PKI. With the shipped version of openssl in SLES11 SP3 this won't work, the subcommand "cms" is missing. How do you think this should be handled? Can we get a newer version of openssl in the repository Cloud:OpenStack:Master? Greetings, André -- André Naehring Linux Consultant & Trainer Mail: naehring@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On 07/08/2013 06:59 AM, André Nähring wrote:
Hello,
the current default in keystone to sign tokens is to use PKI. With the shipped version of openssl in SLES11 SP3 this won't work, the subcommand "cms" is missing.
Andre, Are you sure? I've just checked the package on my SP3 install and I see: # openssl --help openssl:Error: '--help' is an invalid command. Standard commands asn1parse ca ciphers cms [...] And also: # openssl cms Usage cms [options] cert.pem ... where options are -encrypt encrypt message Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
Hello AJ, On Mon, 08 Jul 2013 09:25:51 +0200 Andreas Jaeger <aj@suse.com> wrote:
On 07/08/2013 06:59 AM, André Nähring wrote:
Hello,
the current default in keystone to sign tokens is to use PKI. With the shipped version of openssl in SLES11 SP3 this won't work, the subcommand "cms" is missing.
Andre,
Are you sure? I've just checked the package on my SP3 install and I see:
# openssl --help openssl:Error: '--help' is an invalid command.
Standard commands asn1parse ca ciphers cms [...]
And also: # openssl cms Usage cms [options] cert.pem ... where options are -encrypt encrypt message
Well, this is amazing ;) You are absolutly right. I did something wrong, I really expected to find "cms" in the manpage of openssl. Which gave me no result on SLES but on my local system. So, the original problem is here: --- subprocess.CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/signing_cert.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/certs/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1 --- while installing keystone and after same searching, I always got the result 3 when calling the openssl command. And this let me to check the subcommand using the manpage. So sorry, I expected a manpage to be correct. I'll give it another try with the pki right now and post the results. Greetings, André -- André Naehring Linux Consultant & Trainer Mail: naehring@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Andre debugged a bit and I can reproduce the problem in the Havanna sources. If you check out keystone from git, there's a directory examples/pki. Invoking the script gen_pki.sh works fine on openSUSE 12.3. But on SLES 11 SP3 it fails with: ./gen_pki.sh Checking openssl availability ... /usr/bin/openssl Done Generating New CA Certificate ... Generating a 2048 bit RSA private key .....................................................................+++ ...................+++ writing new private key to '/root/pki/private/cakey.pem' ----- Done Generating SSL Certificate Request ... Generating a 2048 bit RSA private key ...................+++ ...........+++ writing new private key to '/root/pki/private/ssl_key.pem' ----- Done Generating CMS Signing Certificate Request ... Generating a 2048 bit RSA private key ...................+++ ................................................................+++ writing new private key to '/root/pki/private/signing_key.pem' ----- Done Issuing SSL Certificate ... Using configuration from signing.conf default is an unsupported message digest type 4213:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./index.txt.attr','rb') 4213:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 4213:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: Failed! rc=1 Bailing ... Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
Hello, On Mon, 08 Jul 2013 12:37:08 +0200 Andreas Jaeger <aj@suse.com> wrote:
Andre debugged a bit and I can reproduce the problem in the Havanna sources.
If you check out keystone from git, there's a directory examples/pki. Invoking the script gen_pki.sh works fine on openSUSE 12.3.
But on SLES 11 SP3 it fails with: ./gen_pki.sh Checking openssl availability ... /usr/bin/openssl Done Generating New CA Certificate ... Generating a 2048 bit RSA private key .....................................................................+++ ...................+++ writing new private key to '/root/pki/private/cakey.pem' ----- Done Generating SSL Certificate Request ... Generating a 2048 bit RSA private key ...................+++ ...........+++ writing new private key to '/root/pki/private/ssl_key.pem' ----- Done Generating CMS Signing Certificate Request ... Generating a 2048 bit RSA private key ...................+++ ................................................................+++ writing new private key to '/root/pki/private/signing_key.pem' ----- Done Issuing SSL Certificate ... Using configuration from signing.conf default is an unsupported message digest type 4213:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./index.txt.attr','rb') 4213:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 4213:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: Failed! rc=1 Bailing ...
Andreas
The corresponding entry seems to be "default_md" with the value "default". Change it to "md5" and it will work. And reduce the "default_days". Greetings, André -- André Naehring Linux Consultant & Trainer Mail: naehring@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Andre, does changing this line in ./keystone/common/openssl.py help? default_md = default # use public key default MD Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
Hi Andre,
The corresponding entry seems to be "default_md" with the value "default". Change it to "md5" and it will work. And reduce the "default_days".
Well, md5 would be awful. "default" is a synonym of "sha1", but it was only added in openssl 0.9.9 it seems (which we don't have on SLE11 SP3). Sigh. I'll fix it. The default_days in gen_pki.sh should remain the way it is, it is just used for the testsuite. Greetings, Dirk -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
Hi Dirk, On Tue, 9 Jul 2013 17:19:39 +0200 Dirk Müller <dirk@dmllr.de> wrote:
The corresponding entry seems to be "default_md" with the value "default". Change it to "md5" and it will work. And reduce the "default_days".
Well, md5 would be awful. "default" is a synonym of "sha1", but it was only added in openssl 0.9.9 it seems (which we don't have on SLE11 SP3). Sigh. I'll fix it.
thanks. How do you want to fix that? Upgrade openssl? Change the corresponding lines in the keystone source? If that's your choice, have a deeper look on nova which also uses sha1, just like python-keystoneclient and so on.
The default_days in gen_pki.sh should remain the way it is, it is just used for the testsuite.
That's correct, I mentioned it because of the usage of the test suite, which failed when not reducing the value in a quick and dirty way ;) Greetings, André -- André Naehring Linux Consultant & Trainer Mail: naehring@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Andre,
Well, md5 would be awful. "default" is a synonym of "sha1", but it was only added in openssl 0.9.9 it seems (which we don't have on SLE11 SP3). Sigh. I'll fix it. thanks. How do you want to fix that? Upgrade openssl?
I think thats out of question atm.
Change the corresponding lines in the keystone source?
I'll fix keystone pki_setup to not use default_md = default (but sha1) when that one seems to be unsupported by the underlying openssl. I've not yet found a catchy way to detect that it is the "broken" openssl yet, but I'll look into it.
If that's your choice, have a deeper look on nova which also uses sha1, just like python-keystoneclient and so on.
I know about those issues. On my todo as well (but very low). We should not use md5 anywhere.. Greetings, Dirk -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
participants (3)
-
Andreas Jaeger -
André Nähring -
Dirk Müller