Ask Your Question
0

SSL BAD SIGNATURE octavia amphora

asked 2018-11-28 12:03:23 -0500

esxzawq gravatar image

updated 2018-11-30 16:03:56 -0500

johnsom gravatar image

hi everybody

I have configured things about SSL in octavia based on this url : https://review.openstack.org/#/c/613454/, thanks

to michael

but connecting to the amphora is not possible because of SSL (BAD SIGNATURE)

I have logged into amphora and in /etc/octavia/amphora-agent.conf in [amphora_agent] section there were :

agent_server_ca = /etc/octavia/certs/client_ca.pem

agent_server_cert = /etc/octavia/certs/server.pem3

...

their values are come from [amphora_agent] in /etc/octavia/octavia.conf in controller node

but agent_server_ca and agent_server_cert are commented in octavia.conf file

I think the problem should be because of these two entry, that do not have correct values

what should be the values based on the https://review.openstack.org/#/c/613454/.

thanks in advance

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2018-11-30 16:05:28 -0500

johnsom gravatar image

Yes, those certificates are installed into the amphora at nova boot time, so they will not be updated after a controller configuration change. A new amphora will need to be booted, either by rebuilding the loadbalancer, or using the amphroa failover API.

edit flag offensive delete link more

Comments

Yes , but what should be the agent_server_ca and agent_server_cert values !?

esxzawq gravatar imageesxzawq ( 2018-12-02 10:12:00 -0500 )edit

Those are automatically filled in at amphora boot time when the configuration file is create. Those should not be set on the controllers.

johnsom gravatar imagejohnsom ( 2018-12-03 18:13:29 -0500 )edit

yes, correct, but where does BAD_SIGNATURE come from, I have done all things based on this link (https://review.openstack.org/#/c/613454/) at least 10 times.

esxzawq gravatar imageesxzawq ( 2018-12-06 01:11:29 -0500 )edit

BAD_SIGNATURE is openssl saying it cannot validate the certificate that was presented to it. So either the cert being presented is bad/incorrect, or the CA certificate is not correct on the controller.

johnsom gravatar imagejohnsom ( 2018-12-10 11:16:43 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-11-28 12:03:23 -0500

Seen: 44 times

Last updated: Nov 30 '18