OpenStack Compute (nova)

Invalid cert to bundle http://173.203.107.207/ubuntu-lucid.tar

Asked by Hugo Kou

when I try to bundle the image i got from the link.
http://wiki.openstack.org/NovaInstallFestInstructions?highlight=%28twisted%29

=========================================================
root@openstack:~# euca-bundle-image -i vmlinuz-2.6.32-23-server --kernel true
Invalid cert
=========================================================

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Hugo Kou
Solved:
Last query:
Last reply:
Revision history for this message
Hugo Kou (tonytkdk) said : 		#1

I think it might bcz i use novascript to install and run nova.
there are no pk.pem in /nova or /nova/CA

how to create the certification ?

I use nova-manage to create certification by
==============================================================
root@openstack:/# nova-manage project zipfile admin admin

INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/nova/nova/db/sqlalchemy/api.pyc'>
DEBUG:root:openssl genrsa -out /tmp/tmpppQPnM/temp.key 1024
DEBUG:root:Running openssl genrsa -out /tmp/tmpppQPnM/temp.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
...............................++++++
e is 65537 (0x10001)
DEBUG:root:Generating private key: 0
DEBUG:root:Running openssl req -new -key /tmp/tmpppQPnM/temp.key -out /tmp/tmpppQPnM/temp.csr -batch -subj /C=US/ST=California/L=MountainView/O=AnsoLabs/OU=NovaDev/CN=admin-2010-11-17T07:44:12Z
DEBUG:root:Generating CSR: 0
DEBUG:root:Flags path: /nova/nova/../CA
DEBUG:root:Running openssl ca -batch -out /tmp/tmpay2iF7/outbound.crt -config ./openssl.cnf -infiles /tmp/tmpay2iF7/inbound.csr
Using configuration from ./openssl.cnf
error loading the config file './openssl.cnf'
32067:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./openssl.cnf','rb')
32067:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
32067:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
DEBUG:root:Signing cert: 1
Traceback (most recent call last):
  File "/nova/bin/nova-manage", line 508, in <module>
    main()
  File "/nova/bin/nova-manage", line 500, in main
    fn(*argv)
  File "/nova/bin/nova-manage", line 362, in zipfile
    zip_file = self.manager.get_credentials(user_id, project_id)
  File "/nova/nova/auth/manager.py", line 635, in get_credentials
    private_key, signed_cert = self._generate_x509_cert(user.id, pid)
  File "/nova/nova/auth/manager.py", line 697, in _generate_x509_cert
    signed_cert = crypto.sign_csr(csr, pid)
  File "/nova/nova/crypto.py", line 129, in sign_csr
    return _sign_csr(csr_text, FLAGS.ca_path)
  File "/nova/nova/crypto.py", line 152, in _sign_csr
    (tmpfolder, tmpfolder))
  File "/nova/nova/utils.py", line 132, in runthis
    cmd=cmd)
nova.exception.ProcessExecutionError: Unexpected error while running command.
Command: openssl ca -batch -out /tmp/tmpay2iF7/outbound.crt -config ./openssl.cnf -infiles /tmp/tmpay2iF7/inbound.csr
Exit code: 1
Stdout: None
Stderr: None
==========================================================

the result is failed ........

 I tried to solve it by creating a new administrator or user of nova.
==========================================================
$root@openstack:/# nova-manage user create hugo
INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/nova/nova/db/sqlalchemy/api.pyc'>
export EC2_ACCESS_KEY=6379efc7-c12f-44cf-8e83-e1eeeecb4175
export EC2_SECRET_KEY=0824e427-97f7-4087-a457-4e77951461e0

$root@openstack:/# nova-manage project create hugopro hugo
INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/nova/nova/db/sqlalchemy/api.pyc'>

$root@openstack:/# nova-manage project zipfile hugopro hugo
INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/nova/nova/db/sqlalchemy/api.pyc'>
DEBUG:root:openssl genrsa -out /tmp/tmp4QcKtR/temp.key 1024
DEBUG:root:Running openssl genrsa -out /tmp/tmp4QcKtR/temp.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
.++++++
e is 65537 (0x10001)
DEBUG:root:Generating private key: 0
DEBUG:root:Running openssl req -new -key /tmp/tmp4QcKtR/temp.key -out /tmp/tmp4QcKtR/temp.csr -batch -subj /C=US/ST=California/L=MountainView/O=AnsoLabs/OU=NovaDev/CN=hugo-2010-11-17T07:53:59Z
DEBUG:root:Generating CSR: 0
DEBUG:root:Flags path: /nova/nova/../CA
DEBUG:root:Running openssl ca -batch -out /tmp/tmp3FUztn/outbound.crt -config ./openssl.cnf -infiles /tmp/tmp3FUztn/inbound.csr
Using configuration from ./openssl.cnf
error loading the config file './openssl.cnf'
32176:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./openssl.cnf','rb')
32176:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
32176:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
DEBUG:root:Signing cert: 1
Traceback (most recent call last):
  File "/nova/bin/nova-manage", line 508, in <module>
    main()
  File "/nova/bin/nova-manage", line 500, in main
    fn(*argv)
  File "/nova/bin/nova-manage", line 362, in zipfile
    zip_file = self.manager.get_credentials(user_id, project_id)
  File "/nova/nova/auth/manager.py", line 635, in get_credentials
    private_key, signed_cert = self._generate_x509_cert(user.id, pid)
  File "/nova/nova/auth/manager.py", line 697, in _generate_x509_cert
    signed_cert = crypto.sign_csr(csr, pid)
  File "/nova/nova/crypto.py", line 129, in sign_csr
    return _sign_csr(csr_text, FLAGS.ca_path)
  File "/nova/nova/crypto.py", line 152, in _sign_csr
    (tmpfolder, tmpfolder))
  File "/nova/nova/utils.py", line 132, in runthis
    cmd=cmd)
nova.exception.ProcessExecutionError: Unexpected error while running command.
Command: openssl ca -batch -out /tmp/tmp3FUztn/outbound.crt -config ./openssl.cnf -infiles /tmp/tmp3FUztn/inbound.csr
Exit code: 1
Stdout: None
Stderr: None
===================================================
After these , I got a nova.zip . Extract nova.zip I got a pk.pem.
while I put pk.pem to correct location which is defined in novarc.

YES, I can bundle images and upload, but the instance always response "pending".

Shoulda I modify any thing in nova.sh before I perform "nova.sh install" or "nova.sh run"?

Revision history for this message
Ryan Lucio (rlucio) said : 		#2

Ah! I know this one.

This is an oddity, since out of the box the Nova daemons usually fail to start... so you set the configuration and do the nova-manage steps before starting them. What I am trying to say is that its just an order of operations issue.

When you run nova-api the first time, it generates the CA stuff, including openssl.cnf. Then you should be able to go back to nova-manage to create your zipfile. This might be worth converting into a bug report or at least a documentation update IMHO.

Revision history for this message
Hugo Kou (tonytkdk) said : 		#3

solution:

before nova.sh run
do
nova-manage project zipfile <project_name> <you_name>
# in novascript is admin admin, and if you want to change these, you have to delete admin admin and then add your own project_name & you_name.