| Hi, I'm facing a issue with cloudpipe that is driving me crazy. My cloudpipe vpn keys used to work for a tenant, but for one another, (regular) it doesn't work. I basically create a certificate : $ nova x509-create-cert Wrote private key to pk.pem Wrote x509 certificate to cert.pem $ nova x509-get-root-cert Wrote x509 root cert to cacert.pem now if I verify both cert. and private key, they match : $ openssl x509 -noout -modulus -in cert.pem | openssl md5 (stdin)= 93259863d334911d55be20db96709e66 $ openssl rsa -noout -modulus -in pk.key | openssl md5 (stdin)= 93259863d334911d55be20db96709e66 but if I want to verify the CA against the cert, then it doesn't match : $ openssl verify -CAfile cacert.pem cert.pem cert.pem: C = US, ST = California, O = OpenStack, OU = NovaDev, CN = 9b1ed48626fa46b7-2c3d0e28ec564cbe-2013-03-05T13:49:04Z error 7 at 0 depth lookup:certificate signature failure 140284857550496:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 140284857550496:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 140284857550496:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:221: Thus I obtain the following errors in openvpn : If I verify the CA against the certs located in /var/lib/nova/CA/projects/ it works : openssl verify -CAfile /var/lib/nova/CA/projects/$project-Id/cacert.pem /var/lib/nova/CA/projects/$project-Id/newcerts/14.pem /var/lib/nova/CA/projects/9b1ed48626fa46b7b81f21ef21979069/newcerts/14.pem: OK and the md5 seems good as well : $ openssl x509 -noout -modulus -in /var/lib/nova/CA/projects/$project-id/newcerts/14.pem | openssl md5 But if I chose that certificate, I have the same errors... Is there any way to reset all the tenants CA, and clean a bit ?(the nova certificates tables references files that are missing (/var/lib/nova/CA/projects/9b1ed48626fa46b7b81f21ef21979069/newcerts/17.pem is an entry while the file doesn't exist) Best regards, Razique Razique Mahroua - Nuage & Co
|
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
