Hi OVS Team, I was trying to use test-controller with a OVS switch with SSL but found below errors when set-controller is executed.
# ovs-vsctl set-controller br6 ssl:192.168.188.155:6633 On: ovs-vswitchd.log ------------------------------------ 2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633: connecting... 2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca On ovs-controller.log --------------------------------------- 2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error Note: test-controller, PKI structure, ovs-vswitchd, ovsdb-server are all present or running on same box. ----------------- Done PKI configuration as below----------------------- Configure PKI (Refer - INSTALL.SSL) # ovs-pki --force init # ls /usr/local/var/lib/openvswitch/pki/ # ovs-pki req+sign ctl controller ctl-req.pem Wed Dec 4 22:31:24 PST 2013 fingerprint 32ed2112bf73beae3b43b105e02c18f5ac308382 # ls *.pem ctl-cert.pem ctl-privkey.pem ctl-req.pem # ovs-pki req+sign sc switch sc-req.pem Wed Dec 4 22:31:49 PST 2013 fingerprint b3de3da68bd4372ff255c9d6e99fcae445e902ee # ls *.pem ctl-cert.pem ctl-privkey.pem ctl-req.pem sc-cert.pem sc-privkey.pem sc-req.pem # pwd /root/work/openvswitch-web # cp /usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem . # ls *.pem cacert.pem ctl-privkey.pem sc-cert.pem sc-req.pem ctl-cert.pem ctl-req.pem sc-privkey.pem -------END----------------- PKI configuration ----------------------- # cd openvswitch-web/ # ./boot.sh # ./configure --with-linux=/lib/modules/`uname -r`/build # make # make check # make modules_install # modprobe openvswitch # lsmod | grep openvswitch openvswitch 81016 0 gre 12989 1 openvswitch libcrc32c 12644 1 openvswitch # ovsdb-tool create /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema # ovs-vsctl -- --bootstrap set-ssl /root/work/openvswitch-web/sc-privkey.pem /root/work/openvswitch-web/sc-cert.pem /root/work/openvswitch-web/cacert.pem # ovs-vsctl get-ssl Private key: /root/work/openvswitch-web/sc-privkey.pem Certificate: /root/work/openvswitch-web/sc-cert.pem CA Certificate: /root/work/openvswitch-web/cacert.pem Bootstrap: true # pwd /root/work/openvswitch-web # ./tests/test-controller pssl: --private-key=/root/work/openvswitch-web/ctl-privkey.pem --certificate=/root/work/openvswitch-web/ctl-cert.pem --ca-cert=/root/work/openvswitch-web/cacert.pem --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovs-controller.log 2013-12-05T06:36:41Z|00001|stream_ssl|INFO|Trusting CA cert from /root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04 02:04:59)) (fingerprint c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1) 2013-12-05T06:36:41Z|00002|vlog|INFO|opened log file /usr/local/var/log/openvswitch/ovs-controller.log # netstat -na | grep 6633 tcp 0 0 0.0.0.0:6633 0.0.0.0:* LISTEN # ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock --remote=db:Open_vSwitch,Open_vSwitch,manager_options --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovsdb-server.log 2013-12-05T07:06:28Z|00001|vlog|INFO|opened log file /usr/local/var/log/openvswitch/ovsdb-server.log 2013-12-05T07:06:28Z|00002|stream_ssl|INFO|Trusting CA cert from /root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04 02:04:59)) (fingerprint c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1) # ovs-vswitchd --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log 2013-12-05T07:04:41Z|00001|vlog|INFO|opened log file /usr/local/var/log/openvswitch/ovs-vswitchd.log 2013-12-05T07:04:41Z|00002|reconnect|INFO|unix:/usr/local/var/run/openvswitch/db.sock: connecting... 2013-12-05T07:04:41Z|00003|reconnect|INFO|unix:/usr/local/var/run/openvswitch/db.sock: connected 2013-12-05T07:04:41Z|00004|stream_ssl|INFO|Trusting CA cert from /root/work/openvswitch-web/cacert.pem (/C=US/ST=CA/O=Open vSwitch/OU=controllerca/CN=OVS controllerca CA Certificate (2013 Dec 04 02:04:59)) (fingerprint c3:ed:b0:98:39:a8:ee:9b:6e:46:30:eb:d4:9e:6f:ce:fb:c9:22:e1) # ps -ef | grep -i ovsdb-server root 12463 1 0 02:05 ? 00:00:00 ./ovsdb/ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock --remote=db:Open_vSwitch,Open_vSwitch,manager_options --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovsdb-server.log # ps -ef | grep -i ovs-vswitch root 12518 1 0 02:08 ? 00:00:05 ./vswitchd/ovs-vswitchd --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovs-vswitchd.log # ps -ef | grep -i controller root 14328 1 86 03:30 ? 00:00:19 ./tests/test-controller pssl: --private-key=/root/work/openvswitch-web/ctl-privkey.pem --certificate=/root/work/openvswitch-web/ctl-cert.pem --ca-cert=/usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem --pidfile --detach --log-file=/usr/local/var/log/openvswitch/ovs-controller.log # ovs-vsctl add-br br5 # ovs-vsctl list-br br5 # ovs-vsctl set-controller br6 ssl:192.168.188.155:6633 *<<<<<<<<<<<<<<< After this things fails >>>>>>>>>>>>>>>> See logs details below.* --------------- ovs-controller.log --------------------- 2013-12-05T10:13:42.536Z|00021|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:13:42.536Z|00022|vconn_stream|ERR|send: Protocol error 2013-12-05T10:13:43.248Z|00023|poll_loop|INFO|Dropped 1127619 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:13:43.249Z|00024|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (89% CPU usage) 2013-12-05T10:13:49.248Z|00025|poll_loop|INFO|Dropped 1037872 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:13:49.249Z|00026|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (88% CPU usage) 2013-12-05T10:13:50.534Z|00027|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:13:55.248Z|00028|poll_loop|INFO|Dropped 1028819 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:13:55.249Z|00029|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (91% CPU usage) 2013-12-05T10:13:58.535Z|00030|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:13:58.536Z|00031|vconn_stream|ERR|send: Protocol error 2013-12-05T10:14:01.248Z|00032|poll_loop|INFO|Dropped 908512 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:14:01.249Z|00033|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (91% CPU usage) 2013-12-05T10:14:06.534Z|00034|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:14:06.534Z|00035|vconn_stream|ERR|send: Protocol error 2013-12-05T10:14:07.248Z|00036|poll_loop|INFO|Dropped 908099 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:14:07.249Z|00037|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (92% CPU usage) 2013-12-05T10:14:13.250Z|00038|poll_loop|INFO|Dropped 931759 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:14:13.250Z|00039|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (93% CPU usage) 2013-12-05T10:14:14.529Z|00040|stream_ssl|WARN|SSL_accept: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2013-12-05T10:14:19.248Z|00041|poll_loop|INFO|Dropped 901975 log messages in last 6 seconds (most recently, 0 seconds ago) due to excessive rate 2013-12-05T10:14:19.249Z|00042|poll_loop|INFO|wakeup due to 0-ms timeout at lib/vconn.c:935 (94% CPU usage) -----------------ovs-vswitchd.log ----------- 2013-12-05T10:13:34.519Z|00081|rconn|INFO|br6<->ssl:192.168.188.155:6633: connecting... 2013-12-05T10:13:34.534Z|00082|stream_ssl|WARN|SSL_connect: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-12-05T10:13:34.534Z|00083|rconn|INFO|br6<->ssl:192.168.188.155:6633: connection failed (Protocol error) 2013-12-05T10:13:34.534Z|00084|rconn|INFO|br6<->ssl:192.168.188.155:6633: continuing to retry connections in the background but suppressing further logging 2013-12-05T10:13:42.518Z|00085|fail_open|WARN|Could not connect to controller (or switch failed controller's post-connection admission control policy) for 15 seconds, failing open 2013-12-05T10:13:42.535Z|00086|stream_ssl|WARN|SSL_connect: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-12-05T10:13:50.544Z|00087|stream_ssl|WARN|SSL_connect: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -------------------- What is going wrong here? Also, man page of ovs-vsctl in "set-controller bridge target..." says to pass --private-key, --certificate, and --ca-cert while executing set-controller but it does not says which certificate to pass (controllerca or switchca). Also refered INSTALL.SSL ~ Kelvin
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
