openssl error due to openssl.cnf.tmpl file provided by OpenStack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Dan Prince |
Bug Description
The command line "nova-manage project zipfile ..." generates an exception and returns the following message:
Unexpected error while running command.
Command: openssl ca -batch -out /tmp/tmpIYutU2/
Exit code: 1
Stdout: ''
Stderr: "Using configuration from ./openssl.
The above error may show that the certificate db has not been created.
Please create a database by running a nova-api server on this host.
By running the openssl command from the CA directory of OpenStack, I've the same error:
[root]# openssl ca -config openssl.cnf -infiles ../inboud.csr
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'California'
localityName :ASN.1 12:'MountainView'
organizationName :ASN.1 12:'AnsoLabs'
organizationalU
commonName :ASN.1 12:'admin-
The stateOrProvinceName field needed to be the same in the
CA certificate (California) and the request (California)
The problem comes from the openssl.cnf template file provided by OpenStack which contains:
countryName = match
stateOrProv
This policy is too restrictive and generates the previous error.
By replacing this policy by:
countryName = supplied
stateOrProv
in the openssl.cnf file, then the "nova-manage project zipfile ..." command line is OK.
So I suggest to specifiy these values in the openssl.cnf.tmpl file.
Related branches
- Thierry Carrez (community): Approve (gfe)
- Vish Ishaya (community): Approve
- Sandy Walsh (community): Approve
-
Diff: 18 lines (+5/-1)1 file modifiednova/CA/openssl.cnf.tmpl (+5/-1)
Changed in nova: | |
assignee: | nobody → Dan Prince (dan-prince) |
status: | Incomplete → In Progress |
Changed in nova: | |
importance: | Undecided → Medium |
milestone: | none → cactus-rc |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | cactus-rc → 2011.2 |
status: | Fix Committed → Fix Released |
This is only an issue in the new version of openssl, it would be nice to figure out why California doesn't match California (perhaps one is unicode), although it makes sense to put in this workaround in the meantime.
Vish
On Feb 24, 2011, at 5:45 AM, Philippe Berthault wrote:
> Public bug reported: outbound. csr -config ./openssl.cnf -infiles /tmp/tmpIYutU2/ inbound. csr cnf\nCheck that the request matches the signature\ nSignature ok\nThe Subject's Distinguished Name is as follows\ ncountryName :PRINTABLE: 'US'\nstateOrPr ovinceName :ASN.1 12:'California' \nlocalityName :ASN.1 12:'MountainVie w'\norganizatio nName :ASN.1 12:'AnsoLabs' \norganizationa lUnitName: ASN.1 12:'NovaDev' \ncommonName :ASN.1 12:'admin- admin-2011- 02-24T13: 46:26Z' \nThe stateOrProvinceName field needed to be the same in the\nCA certificate (California) and the request (California)\n" nitName: ASN.1 12:'NovaDev' admin-2011- 02-24T13: 05:13Z' /bugs.launchpad .net/bugs/ 724317 outbound. csr -config ./openssl.cnf -infiles /tmp/tmpIYutU2/ inbound. csr
>
> The command line "nova-manage project zipfile ..." generates an exception and returns the following message:
> Unexpected error while running command.
> Command: openssl ca -batch -out /tmp/tmpIYutU2/
> Exit code: 1
> Stdout: ''
> Stderr: "Using configuration from ./openssl.
> The above error may show that the certificate db has not been created.
> Please create a database by running a nova-api server on this host.
>
> By running the openssl command from the CA directory of OpenStack, I've the same error:
> [root]# openssl ca -config openssl.cnf -infiles ../inboud.csr
> Using configuration from openssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName :PRINTABLE:'US'
> stateOrProvinceName :ASN.1 12:'California'
> localityName :ASN.1 12:'MountainView'
> organizationName :ASN.1 12:'AnsoLabs'
> organizationalU
> commonName :ASN.1 12:'admin-
> The stateOrProvinceName field needed to be the same in the
> CA certificate (California) and the request (California)
>
> The problem comes from the openssl.cnf template file provided by OpenStack which contains:
> countryName = match
> stateOrProvinceName = match
>
> This policy is too restrictive and generates the previous error.
>
> By replacing this policy by:
> countryName = supplied
> stateOrProvinceName = optional
> in the openssl.cnf file, then the "nova-manage project zipfile ..." command line is OK.
> So I suggest to specifiy these values in the openssl.cnf.tmpl file.
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of Nova Bug
> Team, which is subscribed to OpenStack Compute (nova).
> https:/
>
> Title:
> openssl error due to openssl.cnf.tmpl file provided by OpenStack
>
> Status in OpenStack Compute (Nova):
> New
>
> Bug description:
> The command line "nova-manage project zipfile ..." generates an exception and returns the following message:
> Unexpected error while running command.
> Command: openssl ca -batch -out /tmp/tmpIYutU2/
...