Ask Your Question
0

st can't work when setting up ssl access

asked 2011-07-10 17:04:31 -0500

zhangjun236 gravatar image

Hi Experts,

I met a problem after setting up ssl access in my SAIO environment. The error is as follows.

root@OpenStackSwift:/etc/swift# st -A https://127.0.0.1:443/auth/v1.0 -U test:tester -K testing stat Traceback (most recent call last): File "/usr/local/bin/st", line 7, in execfile(__file__) File "/root/swift-1.3.0/bin/st", line 1715, in error_queue) File "/root/swift-1.3.0/bin/st", line 1256, in st_stat headers = conn.head_account() File "/root/swift-1.3.0/bin/st", line 764, in head_account return self._retry(head_account) File "/root/swift-1.3.0/bin/st", line 742, in _retry rv = func(self.url, self.token, args, *kwargs) File "/root/swift-1.3.0/bin/st", line 273, in head_account conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) File "/usr/lib/python2.6/httplib.py", line 910, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.6/httplib.py", line 947, in _send_request self.endheaders() File "/usr/lib/python2.6/httplib.py", line 904, in endheaders self._send_output() File "/usr/lib/python2.6/httplib.py", line 776, in _send_output self.send(msg) File "/usr/lib/python2.6/httplib.py", line 735, in send self.connect() File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 80, in connect return HTTPConnection.connect(self) File "/usr/lib/python2.6/httplib.py", line 716, in connect self.timeout) File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection raise error, msg socket.error: [Errno 111] ECONNREFUSED root@OpenStackSwift:/etc/swift#

But accessing with curl worked correctly, just like this.

root@OpenStackSwift:/etc/swift# curl -k -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' https://127.0.0.1:443/auth/v1.0 * About to connect() to 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA * Server certificate: * subject: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com * start date: 2011-07-10 14:09:25 GMT * expire date: 2011-08-09 14:09:25 GMT * common name: zhj (does not match '127.0.0.1') * issuer: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com * SSL certificate verify result: self signed certificate (18), continuing anyway.

GET /auth/v1.0 HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Host: 127.0.0.1 ...

(more)
edit retag flag offensive close merge delete
add a comment

6 answers

Sort by ยป oldest newest most voted
0

answered 2011-07-15 05:16:26 -0500

zhangjun236 gravatar image

Thanks Marcelo Martins, that solved my question.

edit flag offensive delete link more
add a comment
0

answered 2011-07-10 17:23:02 -0500

zhangjun236 gravatar image

BTW, the firewall was closed in Ubuntu.

edit flag offensive delete link more
add a comment
0

answered 2011-07-15 05:14:44 -0500

zhangjun236 gravatar image

Hi Marcelo,

Thanks again for your great help. It works properly now and I can also access it with Cyberduck.

Thanks & Regards, Jun

edit flag offensive delete link more
add a comment
0

answered 2011-07-13 18:25:19 -0500

btorch gravatar image

Hi Jun,

The reason why st is not working for you is because the "storage URL" that is attached to that account is pointing to "X-Storage-Url: http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d%22 (http://127.0.0.1:8080/v1/AUTH_7ba8bba...)

Now that you have the proxy using SSL, you need to modify two things, the proxy-server.conf and also the the account storage url.

1) proxy-server.conf Within the "[filter:swauth]" section, add : "default_swift_cluster = local#https://LOCALNET_IP:443/v1#https://127.0.0.1:443/v1" or just "default_swift_cluster = local#https://127.0.0.1:443/v1"

2) Modify account storage URL using "swauth-set-account-service" tool. Use --help for more information on how to use the tool.

Once you have those changes in place and reloaded the swift proxy service, you should be all set

edit flag offensive delete link more
add a comment
0

answered 2011-07-14 15:01:48 -0500

zhangjun236 gravatar image

Hi Marcelo,

Thanks a lot for your response. I tried your method, but when I ran "swauth-set-account-service -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d%22 (http://127.0.0.1:8080/v1/AUTH_7ba8bba...) command, I got the following error msg.

Traceback (most recent call last): File "/usr/local/bin/swauth-set-account-service", line 7, in <module> execfile(__file__) File "/root/swift-1.3.0/bin/swauth-set-account-service", line 69, in <module> ssl=(parsed.scheme == 'https')) File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 168, in http_connect_raw conn.endheaders() File "/usr/lib/python2.6/httplib.py", line 904, in endheaders self._send_output() File "/usr/lib/python2.6/httplib.py", line 776, in _send_output self.send(msg) File "/usr/lib/python2.6/httplib.py", line 735, in send self.connect() File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 80, in connect return HTTPConnection.connect(self) File "/usr/lib/python2.6/httplib.py", line 716, in connect self.timeout) File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection raise error, msg socket.error: [Errno 111] ECONNREFUSED

Meantime, I also found another problem that's why it still feedbacked an X-Storage-Url with http protocol and 8080 port not https and 443 when I run curl to get it because I had set up SSL for swift.

BTW, swift 1.4 can work properly, I guess it should be a little bit different with 1.3 in authentication method and it doesn't have swauth-set-account-service command.

Thanks, Jun Zhang

edit flag offensive delete link more
add a comment
0

answered 2011-07-14 15:15:05 -0500

btorch gravatar image

Hi Jun,

You are not specifying the ADMIN_URL to swauth-set-account-service tool therefore it will try to use the default value which is "http://127.0.0.1:8080/auth/" and that is incorrect for your SAIO setup if you have changed the proxy port and using SSL.

You are also specifying an incorrect value for the new storage URL.

Try this : "swauth-set-account-service -K swauthkey -A https://127.0.0.1:443/auth/ test storage local https://127.0.0.1:443/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d%22 (https://127.0.0.1:443/v1/AUTH_7ba8bba...)

After 1.4.1, swauth is no longer part of the core swift packages. If you would like to still use swauth please check https://github.com/gholt/swauth

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2011-07-10 17:04:31 -0500

Seen: 55 times

Last updated: Jul 15 '11

Related questions

swift container-sync not working

SWauth issues in OpenStack Swift

Swift Monitoring Tools

swift error 400 Bad Request

swift region options

Can't access to a container

Removing storage from ring and power off node

Internal Server Error 500+503 / Object-Store - Essex

How to recreate account?

WARNING:root:posix_fadvise