Re: Debugging radosgw/keystone packet signing issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Yehuda,

I finally managed to make it work :) 

The certificates were correct but the trust options for the "signing_cert"
were not.
The command I used to convert the signing_cert is the following :

# openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | 
	certutil -A -d /var/lib/ceph/nss/ -n signing_cert -t "P,P,P" 

As you can see I've changed the trust options from "TCu,Cu,Tuw" to "P,P,P".

So my actual NSS db is as follow :

# certutil -L -d /var/lib/ceph/nss/

Certificate Nickname                      Trust Attributes
 
SSL,S/MIME,JAR/XPI

ca                                                           CT,C,c
signing_cert                                       P,P,P

It was clear to me that something was wrong with the trust options, because
the error was coming after a call to NSS_CMSSignedData_VerifySignerInfo
which mainly verify the trust options.
I'm not sure that the trust options "P,P,P" are 100% correct security-wise,
but it works after all.

Maybe the documentation was written when libnss had this bug
https://bugzilla.mozilla.org/show_bug.cgi?id=531160.

Cheers,
Davide

-----Message d'origine-----
De : Yehuda Sadeh [mailto:yehuda@xxxxxxxxxxx] 
Envoyé : mardi 28 mai 2013 16:07
À : Davide Fanciola
Cc : ceph-users@xxxxxxxxxxxxxx
Objet : Re:  Debugging radosgw/keystone packet signing issue

It might be that it's missing another certificate (for the CA). Under
/etc/keystone/ssl there are a bunch of other certificates, maybe the
instructions are missing one of these.

Yehuda

On Tue, May 28, 2013 at 2:40 AM, Davide Fanciola <dfanciola@xxxxxxxxx>
wrote:
> Hi all,
>
>
>
> I?m trying to debug a problem with packet signing between radosgw and 
> keystone.
>
>
>
> I have followed the procedure available here 
> http://ceph.com/docs/master/radosgw/config/#integrating-with-openstack
> -keystone, but the following problem appears in the logs:
>
>
>
> 2013-05-28 11:24:07.169902 7fea527fc700  2 keystone revoke thread: 
> start
>
> 2013-05-28 11:24:07.169999 7fea527fc700 20 sending request to 
> http://ubu-keystone:35357/v2.0/tokens/revoked
>
> 2013-05-28 11:24:07.196865 7fea527fc700 10 request returned {"signed":
> "-----BEGIN
> CMS-----\nMIIBQwYJKoZIhvcNAQcCoIIBNDCCATACAQExCTAHBgUrDgMCGjAeBgkqhkiG
> 9w0B\nBwGgEQQPeyJyZXZva2VkIjogW119MYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMx
> \nDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQx\nGD
> AWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0B\nAQEFAA
> SBgA5iHQgrjKoUbuKv/Sd1RNLshdmrAcgT8f5BynkuTaKe/2dlifgAQgY0\neokGC427zC
> 6AnFd6AzZcn+NOjAez2co3BPSHwkYd356+PpLxJ75muzriWbS67MYl\nkWK+hryhX3Cqkw
> rbYBo340bnrsjn1kCzamMVL54Bjbtm8OqcuRCq\n-----END
> CMS-----\n"}
>
> 2013-05-28 11:24:07.196960 7fea527fc700 10 signed=-----BEGIN CMS-----
>
> MIIBQwYJKoZIhvcNAQcCoIIBNDCCATACAQExCTAHBgUrDgMCGjAeBgkqhkiG9w0B
>
> BwGgEQQPeyJyZXZva2VkIjogW119MYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMx
>
> DjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQx
>
> GDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0B
>
> AQEFAASBgA5iHQgrjKoUbuKv/Sd1RNLshdmrAcgT8f5BynkuTaKe/2dlifgAQgY0
>
> eokGC427zC6AnFd6AzZcn+NOjAez2co3BPSHwkYd356+PpLxJ75muzriWbS67MYl
>
> kWK+hryhX3CqkwrbYBo340bnrsjn1kCzamMVL54Bjbtm8OqcuRCq
>
> -----END CMS-----
>
>
>
> 2013-05-28 11:24:07.196968 7fea527fc700 10 
> content=MIIBQwYJKoZIhvcNAQcCoIIBNDCCATACAQExCTAHBgUrDgMCGjAeBgkqhkiG9w
> 0BBwGgEQQPeyJyZXZva2VkIjogW119MYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAM
> BgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBA
> MTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgA5iHQgr
> jKoUbuKv/Sd1RNLshdmrAcgT8f5BynkuTaKe/2dlifgAQgY0eokGC427zC6AnFd6AzZcn+
> NOjAez2co3BPSHwkYd356+PpLxJ75muzriWbS67MYlkWK+hryhX3CqkwrbYBo340bnrsjn
> 1kCzamMVL54Bjbtm8OqcuRCq
>
> 2013-05-28 11:24:07.197457 7fea527fc700  0 ERROR: signer 0 status = 
> SigningCertNotTrusted
>
> 2013-05-28 11:24:07.197470 7fea527fc700  0 ERROR: problem decoding
>
> 2013-05-28 11:24:07.197471 7fea527fc700  0 ceph_decode_cms returned 
> -22
>
> 2013-05-28 11:24:07.197480 7fea527fc700  0 ERROR: keystone revocation 
> processing returned error r=-22
>
>
>
>
>
> I?ve already tried to bump up the log levels but with no result. This 
> is what I?ve tried :
>
>
>
> debug ms = 1
>
> debug rgw = 20
>
> debug crypto = 5
>
> debug auth = 5
>
> debug none = 5
>
> debug asok = 5
>
>
>
> Is there a way to have a more detailed log of what?s going on?
>
>
>
> Thanks,
>
> Davide
>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux