Open rameshganapathi opened 4 years ago
I am unable to reproduce this. Can you try posting some logs? @rameshganapathi
ovs-pki req+sign test --force -l /tmp/ovs-pki.log
Hi Mark,
Thank you for your reply.
Here is the ovs-pki logs :
root@home:/etc/openvswitch# ovs-pki req+sign test --force -l /tmp/ovs-pki.log root@home:/etc/openvswitch# cat /tmp/ovs-pki.log Generating RSA private key, 2048 bit long modulus ............................................................+++++ .....................................................+++++ e is 65537 (0x010001) Using configuration from ca.cnf Error Loading extension section usr_cert root@home:/etc/openvswitch#
Thank you, Warm Regards, Ramesh.G
On Wed, Oct 21, 2020 at 7:28 PM Mark D. Gray notifications@github.com wrote:
I am unable to reproduce this. Can you try posting some logs? @rameshganapathi https://github.com/rameshganapathi
ovs-pki req+sign test --force -l /tmp/ovs-pki.log
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713598055, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VLTD6BFPQ72ZZAJWTSL3SJ7ANCNFSM4SSPLENA .
Have you modified ovs-pki
or ovs-pki.in
?
What version of openssl are you using ( openssl version
)?
No Mark, I am using the pristine version of OVS 2.13.1
root@home:~# ovs-pki --version ovs-pki (Open vSwitch) 2.13.1
root@home:~# openssl version OpenSSL 1.1.0l 10 Sep 2019
Thank you, Warm Regards, Ramesh.G On Wed, Oct 21, 2020 at 8:44 PM Mark D. Gray notifications@github.com wrote:
Have you modified ovs-pki or ovs-pki.in?
What version of openssl are you using ( openssl version)?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713650079, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7SEWMP3JYU2OST7FTTSL33ERANCNFSM4SSPLENA .
That version is a little older than mine but not much
$ openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020
Can you cat /var/lib/openvswitch/pki/switchca/ca.cnf
Hi Mark,
Here is the ca.cnf file content.
*root@home:~# cat /var/lib/openvswitch/pki/switchca/ca.cnf[ req ]prompt = nodistinguished_name = req_distinguished_name[ req_distinguished_name ]C = USST = CAL = Palo AltoO = Open vSwitchOU = switchcaCN = OVS switchca CA Certificate (2020 Oct 13 17:12:47)[ ca ]default_ca = the_ca[ the_ca ]dir = . # top dirdatabase = $dir/index.txt
dircertificate = $dir/cacert.pem # The CA certserial = $dir/serial # serial no fileprivate_key = $dir/private/cakey.pem# CA private keyRANDFILE = $dir/private/.rand
certify fordefault_crl_days= 30 # how long before next CRLdefault_md = sha512 # message digest to usepolicy = policy # default policyemail_in_dn = no
# Subject name display optioncert_opt = ca_default #
Certificate display optioncopy_extensions = none # Don't copy extensions from requestunique_subject = no # Allow certs with duplicate subjects# For the CA policy[ policy ]countryName = optionalstateOrProvinceName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional*
Thank you, Warm Regards, Ramesh.G
On Thu, Oct 22, 2020 at 12:08 AM Mark D. Gray notifications@github.com wrote:
That version is a little older than mine but not much
$ openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020
Can you cat /var/lib/openvswitch/pki/switchca/ca.cnf
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713789093, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7U7QQRSNJTIEF24RZ3SL4TEDANCNFSM4SSPLENA .
That's weird. It looks misformatted here? Is it the same in your terminal?
ovs-pki
is just a wrapper around openssl
. It generates the ca.cnf file and then uses openssl
to generate the certs/keys/etc. Perhaps it is failing because, for some reason it is misformatted and also truncated?
For reference, it should be formatted something like this: https://github.com/openvswitch/ovs/blob/04d140664a272fdbdd5352162ea9719b9c77cafe/utilities/ovs-pki.in#L256
Can delete the CA and start again? ovs-pki init --force
What version of bash are you using? sh --version
Hi Mark,
This is how it looks in my terminal.
root@home:~# cat /var/lib/openvswitch/pki/switchca/ca.cnf [ req ] prompt = no distinguished_name = req_distinguished_name
[ req_distinguished_name ] C = US ST = CA L = Palo Alto O = Open vSwitch OU = switchca CN = OVS switchca CA Certificate (2020 Oct 13 17:12:47)
[ ca ] default_ca = the_ca
[ the_ca ] dir = . # top dir database = $dir/index.txt # index file. new_certs_dir = $dir/newcerts # new certs dir certificate = $dir/cacert.pem # The CA cert serial = $dir/serial # serial no file private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha512 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option cert_opt = ca_default # Certificate display option copy_extensions = none # Don't copy extensions from request unique_subject = no # Allow certs with duplicate subjects
[ policy ] countryName = optional stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
Thank you, Warm Regards, Ramesh.G
On Thu, Oct 22, 2020 at 2:16 AM Mark D. Gray notifications@github.com wrote:
That's weird. It looks misformatted here? Is it the same in your terminal?
ovs-pki is just a wrapper around openssl. It generates the ca.cnf file and then uses openssl to generate the certs/keys/etc. Perhaps it is failing because, for some reason it is misformatted?
For reference, it should be formatted something like this: https://github.com/openvswitch/ovs/blob/04d140664a272fdbdd5352162ea9719b9c77cafe/utilities/ovs-pki.in#L256
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713867514, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7SR6ZNY6BVW34XYN5DSL5CBNANCNFSM4SSPLENA .
What distro/package did you get this from?
Also, is this a CA that you "init"ed sometime ago and you have updated the openvswitch package in the interim?
I have cloned this from https://github.com/openvswitch/ovs/tree/v2.13.1.
No, I have not modified anything and also I have compiled the pristine OVS code and am trying to generate the certificate (No interim update done).
Thank you, Warm Regards, Ramesh.G
On Thu, Oct 22, 2020 at 2:44 AM Mark D. Gray notifications@github.com wrote:
Also, is this a CA that you "init"ed sometime ago and you have updated the openvswitch package in the interim?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713881181, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7UCYZKHZ4DJR7SGW33SL5FJPANCNFSM4SSPLENA .
Hi Ramesh, ovs-pki
should generate the /var/lib/openvswitch/pki/switchca/ca.cnf
file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert]
and [usr_cert]
. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf
file was generated by an older version of ovs.
If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:
ovs-pki init --force
You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf
file has been created directly. If it has, you can re-run the cert request and sign command:
ovs-pki req+sign test --force -l
Also, make sure you are using the ovs-pki
command that you cloned from that repo: which ovs-pki
Hi Mark,
Thank you so much for your help in this.
I tried reinitializing the CA using "ovs-pki init --force" but the existing ca.cnf is neither refreshed nor new ca.cnf file is generated.
I tried removing the ca.cnf file from "switchca" folder under "/var/lib/openvswitch/pki/" folder and tried "ovs-pki init --force" which did not work, Hence I tried removing "switchca" folder under " /var/lib/openvswitch/pki/" and tried "ovs-pki init --force" which generates new "swithca" folder and ca.cnf file.
This new ca.cnf file contains the "[ ca_cert ]" and "[ usr_cert ]".
Is this an issue that " ovs-pki init --force" is not reinitializing the switchca and controllerca?
root@home:/# ovs-pki init --force Creating controllerca... root@home:/#
Thank you, Warm Regards, Ramesh.G
On Fri, Oct 23, 2020 at 2:14 PM Mark D. Gray notifications@github.com wrote:
Hi Ramesh, ovs-pki should generate the /var/lib/openvswitch/pki/switchca/ca.cnf file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert] and [usr_cert]. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf file was generated by an older version of ovs.
If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:
ovs-pki init --force
You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf file has been created directly. If it has, you can re-run the cert request and sign command:
ovs-pki req+sign test --force -l
Also, make sure you are using the ovs-pki command that you cloned from that repo: which ovs-pki
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-715195919, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VZIHLQYWB6FRAJR4TSME67HANCNFSM4SSPLENA .
Hi Mark, Team,
Any inputs on the "ovs-pki init --force" issue not regenerating the ca.cnf for the switchca?
Kindly help in this regard,
Thank you, Warm Regards, Ramesh.G
On Mon, Nov 2, 2020 at 12:41 AM NR 85 rameshganapathi@gmail.com wrote:
Hi Mark,
Thank you so much for your help in this.
I tried reinitializing the CA using "ovs-pki init --force" but the existing ca.cnf is neither refreshed nor new ca.cnf file is generated.
I tried removing the ca.cnf file from "switchca" folder under "/var/lib/openvswitch/pki/" folder and tried "ovs-pki init --force" which did not work, Hence I tried removing "switchca" folder under " /var/lib/openvswitch/pki/" and tried "ovs-pki init --force" which generates new "swithca" folder and ca.cnf file.
This new ca.cnf file contains the "[ ca_cert ]" and "[ usr_cert ]".
Is this an issue that " ovs-pki init --force" is not reinitializing the switchca and controllerca?
root@home:/# ovs-pki init --force Creating controllerca... root@home:/#
Thank you, Warm Regards, Ramesh.G
On Fri, Oct 23, 2020 at 2:14 PM Mark D. Gray notifications@github.com wrote:
Hi Ramesh, ovs-pki should generate the /var/lib/openvswitch/pki/switchca/ca.cnf file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert] and [usr_cert]. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf file was generated by an older version of ovs.
If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:
ovs-pki init --force
You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf file has been created directly. If it has, you can re-run the cert request and sign command:
ovs-pki req+sign test --force -l
Also, make sure you are using the ovs-pki command that you cloned from that repo: which ovs-pki
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-715195919, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VZIHLQYWB6FRAJR4TSME67HANCNFSM4SSPLENA .
I ran a test. If I run ovs-pki init
and then modify the "ca.cnf" file, any subsequent invocations of ovs-pki
will not modify ca.cnf (because it exists). Personally, I dont think this makes sense if the "--force" flag is specified. If the folder exists, I suspect the correct behaviour would be to delete all the old folders and start from scratch.
As a workaround, I presume you can just manually delete the folder and run the command? Does that resolve your issue?
Hi Mark,
Thank you so much for all your help and support.
Yes, manually deleting the folder and running the command "ovs-pki init" works fine.
Programmatically if we want to generate the new ca.cnf file then "ovs-pki init --force" is the option which is not working as we know now hence I tried to remove the "pki" folder and generate the ca.cnf file in the code to workaround the "ovs-pki init --force" issue for now.
I believe we need to fix the --force issue in future releases. Do we need to have a separate bug for this? Kindly confirm.
Thank you, Warm Regards, Ramesh.G
On Fri, Nov 6, 2020 at 2:39 PM Mark Gray notifications@github.com wrote:
I ran a test. If I run ovs-pki init and then modify the "ca.cnf" file, any subsequent invocations of ovs-pki will not modify ca.cnf (because it exists). Personally, I dont think this makes sense if the "--force" flag is specified. If the folder exists, I suspect the correct behaviour would be to delete all the old folders and start from scratch.
As a workaround, I presume you can just manually delete the folder and run the command? Does that resolve your issue?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-722966420, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7TXUXBT77CLSJIC6YTSOO4LFANCNFSM4SSPLENA .
No, we can use this bug as reference. I think we need to add an rm -rf
command somewhere around here: https://github.com/openvswitch/ovs/blob/c4bc03d872db5fe6f804fc9ddbbec29e28335cb5/utilities/ovs-pki.in#L216. Feel free to submit a fix and I can review. If not, I will try to submit something soon.
From the below logs it will be clear that the "test-cert.pem" file is not generated and file with name "test-cert.pem.tmp18614" is generated with zero byte.
root@home:/etc/openvswitch# /usr/bin/ovs-pki --version
ovs-pki (Open vSwitch) 2.13.1
root@home:/etc/openvswitch# ls -alrth total 52K drwxr-sr-x 101 root root 4.0K Oct 13 18:22 .. -rw-r--r-- 1 root root 15K Oct 13 20:41 conf.db -rw------- 1 root root 0 Oct 13 20:41 .conf.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .ovs.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .vtep.db.~lock~ -rw-r--r-- 1 root root 15K Oct 13 20:42 ovs.db -rw-r--r-- 1 root root 8.8K Oct 13 20:43 vtep.db drwxr-xr-x 2 root root 4.0K Oct 16 04:20 .
root@home:/etc/openvswitch# /usr/bin/ovs-pki req+sign test --force
root@home:/etc/openvswitch# ls -alrth total 60K drwxr-sr-x 101 root root 4.0K Oct 13 18:22 .. -rw-r--r-- 1 root root 15K Oct 13 20:41 conf.db -rw------- 1 root root 0 Oct 13 20:41 .conf.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .ovs.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .vtep.db.~lock~ -rw-r--r-- 1 root root 15K Oct 13 20:42 ovs.db -rw-r--r-- 1 root root 8.8K Oct 13 20:43 vtep.db -rw------- 1 root root 1.7K Oct 16 04:21 test-privkey.pem -rw-r--r-- 1 root root 3.8K Oct 16 04:21 test-req.pem -rw-r--r-- 1 root root 0 Oct 16 04:21 test-cert.pem.tmp18614 drwxr-xr-x 2 root root 4.0K Oct 16 04:21 . root@home:/etc/openvswitch#