OpenStack Object Storage (swift)

st can't work when setting up ssl access

Asked by Jun Zhang

Hi Experts,

I met a problem after setting up ssl access in my SAIO environment. The error is as follows.

root@OpenStackSwift:/etc/swift# st -A https://127.0.0.1:443/auth/v1.0 -U test:tester -K testing stat
Traceback (most recent call last):
  File "/usr/local/bin/st", line 7, in <module>
    execfile(__file__)
  File "/root/swift-1.3.0/bin/st", line 1715, in <module>
    error_queue)
  File "/root/swift-1.3.0/bin/st", line 1256, in st_stat
    headers = conn.head_account()
  File "/root/swift-1.3.0/bin/st", line 764, in head_account
    return self._retry(head_account)
  File "/root/swift-1.3.0/bin/st", line 742, in _retry
    rv = func(self.url, self.token, *args, **kwargs)
  File "/root/swift-1.3.0/bin/st", line 273, in head_account
    conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token})
  File "/usr/lib/python2.6/httplib.py", line 910, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.6/httplib.py", line 947, in _send_request
    self.endheaders()
  File "/usr/lib/python2.6/httplib.py", line 904, in endheaders
    self._send_output()
  File "/usr/lib/python2.6/httplib.py", line 776, in _send_output
    self.send(msg)
  File "/usr/lib/python2.6/httplib.py", line 735, in send
    self.connect()
  File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 80, in connect
    return HTTPConnection.connect(self)
  File "/usr/lib/python2.6/httplib.py", line 716, in connect
    self.timeout)
  File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection
    raise error, msg
socket.error: [Errno 111] ECONNREFUSED
root@OpenStackSwift:/etc/swift#

But accessing with curl worked correctly, just like this.

root@OpenStackSwift:/etc/swift# curl -k -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' https://127.0.0.1:443/auth/v1.0
* About to connect() to 127.0.0.1 port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com
* start date: 2011-07-10 14:09:25 GMT
* expire date: 2011-08-09 14:09:25 GMT
* common name: zhj (does not match '127.0.0.1')
* issuer: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /auth/v1.0 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 127.0.0.1
> Accept: */*
> X-Storage-User: test:tester
> X-Storage-Pass: testing
>
< HTTP/1.1 200 OK
< X-Storage-Url: http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d
< X-Storage-Token: AUTH_tk677233de58ee493cb6ee2cf01f3ac02a
< X-Auth-Token: AUTH_tk677233de58ee493cb6ee2cf01f3ac02a
< Content-Length: 112
< Date: Sun, 10 Jul 2011 16:56:54 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
{"storage": {"default": "local", "local": "http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d"}}root@OpenStackSwift:/etc/swift#
root@OpenStackSwift:/etc/swift# curl -k -v -H 'X-Auth-Token: AUTH_tk677233de58ee493cb6ee2cf01f3ac02a' https://127.0.0.1:443/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d
* About to connect() to 127.0.0.1 port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com
* start date: 2011-07-10 14:09:25 GMT
* expire date: 2011-08-09 14:09:25 GMT
* common name: zhj (does not match '127.0.0.1')
* issuer: C=AU; ST=Some-State; L=bj; O=Internet Widgits Pty Ltd; OU=hp; CN=zhj; emailAddress=zhangjun@163.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 127.0.0.1
> Accept: */*
> X-Auth-Token: AUTH_tk677233de58ee493cb6ee2cf01f3ac02a
>
< HTTP/1.1 200 OK
< X-Account-Object-Count: 1
< X-Account-Bytes-Used: 16243
< X-Account-Container-Count: 1
< Content-Length: 5
< Content-Type: text/plain; charset=utf8
< Date: Sun, 10 Jul 2011 16:57:31 GMT
<
test
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
root@OpenStackSwift:/etc/swift#

The proxy-server.conf content is as follows.

root@OpenStackSwift:/etc/swift# less proxy-server.conf
[DEFAULT]
# Enter these next two values if using SSL certifications
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
bind_port = 443
user = root
log_facility = LOG_LOCAL1

[pipeline:main]
pipeline = healthcheck cache swauth proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true

[filter:swauth]
use = egg:swift#swauth
# Highly recommended to change this.
super_admin_key = swauthkey

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 192.168.64.100:11211
proxy-server.conf (END)

Before I set up ssl, st can work properly. I am not sure where is wrong. Please help me.
BTW, the swift version is 1.3.0.

TIA,
Jun Zhang

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Marcelo Martins
Solved:
Last query:
Last reply:
Revision history for this message
Jun Zhang (zhangjun236) said : 		#1

BTW, the firewall was closed in Ubuntu.

Revision history for this message
Marcelo Martins (btorch) said : 		#2

Hi Jun,

The reason why st is not working for you is because the "storage URL" that is attached to that account is pointing to "X-Storage-Url: http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d"

Now that you have the proxy using SSL, you need to modify two things, the proxy-server.conf and also the the account storage url.

1) proxy-server.conf
Within the "[filter:swauth]" section, add :
"default_swift_cluster = local#https://LOCALNET_IP:443/v1#https://127.0.0.1:443/v1"
or just
"default_swift_cluster = local#https://127.0.0.1:443/v1"

2) Modify account storage URL using "swauth-set-account-service" tool. Use --help for more information on how to use the tool.

Once you have those changes in place and reloaded the swift proxy service, you should be all set

Revision history for this message
Jun Zhang (zhangjun236) said : 		#3

Hi Marcelo,

Thanks a lot for your response.
I tried your method, but when I ran "swauth-set-account-service -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d" command, I got the following error msg.

Traceback (most recent call last):
  File "/usr/local/bin/swauth-set-account-service", line 7, in <module>
    execfile(__file__)
  File "/root/swift-1.3.0/bin/swauth-set-account-service", line 69, in <module>
    ssl=(parsed.scheme == 'https'))
  File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 168, in http_connect_raw
    conn.endheaders()
  File "/usr/lib/python2.6/httplib.py", line 904, in endheaders
    self._send_output()
  File "/usr/lib/python2.6/httplib.py", line 776, in _send_output
    self.send(msg)
  File "/usr/lib/python2.6/httplib.py", line 735, in send
    self.connect()
  File "/root/swift-1.3.0/swift/common/bufferedhttp.py", line 80, in connect
    return HTTPConnection.connect(self)
  File "/usr/lib/python2.6/httplib.py", line 716, in connect
    self.timeout)
  File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection
    raise error, msg
socket.error: [Errno 111] ECONNREFUSED

Meantime, I also found another problem that's why it still feedbacked an X-Storage-Url with http protocol and 8080 port not https and 443 when I run curl to get it because I had set up SSL for swift.

BTW, swift 1.4 can work properly, I guess it should be a little bit different with 1.3 in authentication method and it doesn't have swauth-set-account-service command.

Thanks,
Jun Zhang

Revision history for this message
Best Marcelo Martins (btorch) said : 		#4

Hi Jun,

You are not specifying the ADMIN_URL to swauth-set-account-service tool therefore it will try to use the default value which is "http://127.0.0.1:8080/auth/" and that is incorrect for your SAIO setup if you have changed the proxy port and using SSL.

You are also specifying an incorrect value for the new storage URL.

Try this :
"swauth-set-account-service -K swauthkey -A https://127.0.0.1:443/auth/ test storage local https://127.0.0.1:443/v1/AUTH_7ba8bbaa-19b9-4d8f-a243-f6d42797b39d"

After 1.4.1, swauth is no longer part of the core swift packages. If you would like to still use swauth please check https://github.com/gholt/swauth

Revision history for this message
Jun Zhang (zhangjun236) said : 		#5

Hi Marcelo,

Thanks again for your great help. It works properly now and I can also access it with Cyberduck.

Thanks & Regards,
Jun

Revision history for this message
Jun Zhang (zhangjun236) said : 		#6

Thanks Marcelo Martins, that solved my question.