cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Herzhauser <hen...@hotmail.de>
Subject RE: Need help with S3 Secondary Storage
Date Wed, 15 Jul 2015 06:57:29 GMT
Hello dshevchenko,
we will try the workaround and we will give feedback if that worked for us or not.


> Date: Tue, 14 Jul 2015 16:46:23 +0300
> From: dshevchenko.mail@gmail.com
> To: users@cloudstack.apache.org
> Subject: Re: Need help with S3 Secondary Storage
> 
> Hello Nico.
> We also trying to use S3 as secondary storage, so several thoughts:
> 1. "peer not authenticated" - maybe problem with access id and secret 
> id? Can you authenticate with external client?
> 2. You cannot use self-signed certificate, it's not supported (actually 
> you can, but it must be added as trusted to local java keystore on all 
> nodes, including ssvm)
> 3. We also have problem with S3 via https and ssvm, because of ssvm 
> using custom java keystore file (/realhostip.keystore/) and in this file 
> only one trusted root certificate from godaddy.com. But even worse - in 
> source code it hard-coded that you can inject your custom certificate to 
> ssvm/cpvm (I mean trusted root cert here) only if secondary storage is NFS.
> 
> As workaround: after installation download and unpack systemvm.iso, find 
> realhostip.keystore file, add your trusted root or self-signed 
> certificate into it via keytool utility, recreate new iso file and 
> replace it on all management and KVM nodes.
> 
> check this 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name

> and 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Implementation+details+and+troubleshooting+-+uploading+custom+domain+certificate+instead+of+using+realhostip.com
> 
> On 07/14/2015 03:58 PM, Nico Herzhauser wrote:
> > Hello cloudstack usergroup,
> > we like to try S3 style storage with cloudstack 4.5 but we cannot connect to the
S3 Storage.We think this is a certificate problem because the ssvm did not get the right certificate.
> > We use a Wildcard SSL certificate.
> > At the storage-vm I see the following error in the log file:
> > 2015-07-13 13:59:54,887 DEBUG [cloud.agent.Agent] (agentRequest-Handler-2:null)
Seq 40-6480961338762854402:  { Ans: , MgmtId: 345049465082, via: 40, Ver: v1, Flags: 110,
[{"com.cloud.agent.api.Answer":{"result":true,"details":"","wait":0}}] }2015-07-13 13:59:55,020
DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) Request:Seq 40-6480961338762854403:
 { Cmd , MgmtId: 345049465082, via: 40, Ver: v1, Flags: 100111, [{"com.cloud.agent.api.storage.ListVolumeCommand":{"store":{"com.cloud.agent.api.to.S3TO":{"id":15,"uuid":"51333282-9c81-43ca-9532-fac88f722df9","endPoint":"%fqdn%","bucketName":"secondary","httpsFlag":true,"created":"Jul
13, 2015 4:02:25 PM","enableRRS":false,"maxSingleUploadSizeInBytes":5368709120}},"wait":0}}]
}2015-07-13 13:59:55,020 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) Processing
command: com.cloud.agent.api.storage.ListVolumeCommand2015-07-13 13:59:55,031 DEBUG [cloud.utils.S3Utils]
(agentRequest-Handler-3:null) Creating S3 client with configuration: [protocol: https, connectionTimeOut:
50000, maxErrorRetry: 3, socketTimeout: 50000]2015-07-13 13:59:55,160 DEBUG [cloud.utils.S3Utils]
(agentRequest-Handler-3:null) Setting the end point for S3 client com.amazonaws.services.s3.AmazonS3Client@6c05762a
to %fqdn%.2015-07-13 13:59:55,549 INFO  [amazonaws.http.AmazonHttpClient] (agentRequest-Handler-3:null)
Unable to execute HTTP request: peer not authenticatedjavax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)	at
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message