search

openbaton / NFVO

Repository containing the source code of the NFVO
Apache License 2.0
61 stars 56 forks source link

Unable to add PoP with self-signed SSL cert #8

Closed KLuka closed 8 years ago

KLuka commented 8 years ago

Hello, I am using Openbaton NFVO 0.14 and I cannot add PoP (Openstack) which is using HTTPS with self-signed SSL certs.

Reported error on GUI doesn't indicate what actually happened, but with a workaround I was able to get pass this. Errors in web app and plugin log:

# GUI error
ERROR: HTTP status: 500 response data : {"timestamp":1449755236982,"status":500,"error":"Internal Server Error","exception":"org.openbaton.exceptions.VimException","message":"java.rmi.UnmarshalException: Error unmarshaling return; nested exception is: \n\tjava.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.jclouds.http.HttpCommand","path":"/api/v1/datacenters/"}
# Log error
SEVERE: Command not considered safe to retry because request method is POST: [method=org.jclouds.openstack.keystone.v2_0.AuthenticationApi.public abstract org.jclouds.openstack.keystone.v2_0.domain.Access org.jclouds.openstack.keystone.v2_0.AuthenticationApi.authenticateWithTenantNameAndCredentials(java.lang.String,org.jclouds.openstack.keystone.v2_0.domain.PasswordCredentials)[admin, PasswordCredentials{username=admin, password=*****}], request=POST https://XXXXXX.XXX:5000/v2.0/tokens HTTP/1.1]

Ubuntu workaround:

  1. Download Openstack public SSL cert to Openbaton machine.
  2. Copy it to /usr/local/share/ca-certificates/ and set perms to 666.
  3. Run sudo update-ca-certificates.
  4. Restart Openbaton.
KLuka commented 8 years ago

In version 0.15 I can see much better error messages in GUI and also plugin logs :+1: 

ERROR: HTTP status: 422 response data : {"code":"Bad Request","message":"Not listed Networks successfully of VimInstance main-openstack. Caused by: java.lang.Throwable: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST https://xxxxxxxx:5000/v2.0/tokens HTTP/1.1"}

Also from plugin log [1] I can see that Openbaton actually connects to Keystone and extracts some Openstack data (images), but it fails at some latter point... Workaround described in first post still works OK.

Maybe the best solution would be to implement some configuration option that would allow Openbaton to ignore self-signed cert errors for all interactions with Openstack.

[1] Plugin log: https://gist.github.com/KLuka/a6223425868bbe432b89

gc4rella commented 8 years ago

I think the possibility of adding a configuration option is the best one. @mpauls could you please add it to the next minor version?