Hi all,
I am trying to setup internode and client encryption on cassandra. I set
up a small ca, generated the certificates, distributed them and
configured the nodes to use them.
Internode encryption worked straight forward, cqlsh after I added "--ssl".
But I am not able to setup OpsCenter (running 5.1.1). Two issues:
1. I added the ca file path, for me /etc/opscenter/cassandra_ca.pem, as
asked. I cant save the cluster until I add a keystore even if I did not
set a mark for client verification - also I cant find any documentation
which keystore is meant here. Since OpsCenter is python these are
obviously not the jks keystores from cassandra.
I guess that it is meant in that way, the individual nodes present thier
certificate to opscenter which would verify it against the ca-store.
2. Trying to connect gives me an error in opscenterd.log:
2015-05-26 10:34:27+0000 [] INFO: Using SSL when checking thrift
connection: /etc/opscenter/cassandra_ca.pem, client_pem=None,
client_key=None,
validate=True
2015-05-26 10:34:27+0000 [] INFO: Starting factory
<opscenterd.ThriftService.NoReconnectCassandraClientFactory instance at
0x7fa490ff97a0>
2015-05-26 10:34:27+0000 [] Unhandled Error
Traceback (most recent call last):
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/python/log.py",
line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/python/log.py",
line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/python/context.py", line
59, in callWithContext
return self.currentContext().callWithContext(ctx, func,
*args, **kw)
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/python/context.py", line
37, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/internet/epollreactor.py",
line 220, in _doReadOrWrite
why = selectable.doWrite()
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/internet/tcp.py",
line 664, in doConnect
self._connectDone()
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/internet/ssl.py",
line 160, in _connectDone
self.startTLS(self.ctxFactory)
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/internet/tcp.py",
line 561, in startTLS
if Connection.startTLS(self, ctx, client):
File
"/usr/share/opscenter/lib/py-debian/2.7/amd64/twisted/internet/tcp.py",
line 402, in startTLS
self.socket = SSL.Connection(ctx.getContext(), self.socket)
File
"/usr/lib/python2.7/dist-packages/opscenterd/SslUtils.py", line 54, in
getContext
File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line
303, in load_verify_locations
raise TypeError("cafile must be None or a byte string")
exceptions.TypeError: cafile must be None or a byte string
2015-05-26 10:34:27+0000 [] INFO: <twisted.internet.ssl.Connector
instance at 0x7fa490ff9a70> will retry in 2 seconds
2015-05-26 10:34:27+0000 [] INFO: Unhandled error in Deferred:
2015-05-26 10:34:27+0000 [] Unhandled Error
Traceback (most recent call last):
Failure: twisted.internet.error.ConnectError: An error occurred
while connecting: [Failure instance: Traceback (failure with no frames):
<type 'exceptions.TypeError'>: cafile must be None or a byte string
].
Any hints about this?
Thanks in advance,
Jan
