ec2-api

Cannot get EC2 Metadata over SSL

Bug #1739479 reported by Georgios Dimitrakakis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ec2-api
Fix Released
Undecided
Andrey Pavlov

Bug Description

Hello,

I am looking for your help since I cannot get EC2 metadata over SSL.

To start with I have an OpenStack Ocata installation and have installed OpenStack Ec2api Service (openstack-ec2-api-4.0.0-1.el7.noarch) from "centos-openstack-ocata" repository.

I have configured EC2 to work over SSL and indeed when I am doing "aws --endpoint-url https://some.domain.com:8788 ec2 describe-images" I am getting back the results.

In order to do so I have changed the following parameters in "ec2api.conf" file

ec2api_use_ssl=true
ssl_ca_file=/etc/httpd/ssl/ca.pem
ssl_cert_file=/etc/httpd/ssl/cert.pem
ssl_key_file=/etc/httpd/ssl/key.pem

changed endpoints to reflect the correct to :

# openstack endpoint list | grep ec2
| 37503a78d3564e45be191f6e873e7d38 | RegionOne | ec2-api | ec2api | True | public | https://some.domain.com:8788 |
| 85f57f60099c4c63961bb9e9a8ccfbdd | RegionOne | ec2-api | ec2api | True | admin | https://some.domain.com:8788 |
| a4fece6c839242e88cc9b4b242de3d5a | RegionOne | ec2-api | ec2api | True | internal | https://some.domain.com:8788 |
#

and have restarted both "openstack-ec2-api-metadata.service" and "openstack-ec2-api.service"

So far so good since as I wrote before I can get the results for EC2.

The problem comes when I set the "metadata_use_ssl=true" in "ec2api.conf" and restart again the "openstack-ec2-api-metadata.service" and "openstack-ec2-api.service" services.

After that I can no longer receive metadata when I spawn an instance.

The log file of a Cirros VM shows:

http://169.254.169.254/2009-04-04/instance-id [20]
failed 1/20: up 1.37. request failed
failed 2/20: up 3.62. request failed
failed 3/20: up 5.67. request failed
failed 4/20: up 7.92. request failed
failed 5/20: up 10.09. request failed
failed 6/20: up 12.34. request failed
failed 7/20: up 14.58. request failed
failed 8/20: up 16.64. request failed
failed 9/20: up 18.88. request failed
failed 10/20: up 20.94. request failed
failed 11/20: up 22.99. request failed
failed 12/20: up 25.16. request failed
failed 13/20: up 27.22. request failed
failed 14/20: up 29.29. request failed
failed 15/20: up 31.46. request failed
failed 16/20: up 33.62. request failed
failed 17/20: up 35.68. request failed
failed 18/20: up 37.81. request failed
failed 19/20: up 39.99. request failed
failed 20/20: up 42.05. request failed
failed to read iid from metadata. tried 20

and even after it boots I cannot get any reply from either "curl http://169.254.169.254/2009-04-04"
or "curl https://169.254.169.254/2009-04-04"

Could you please check it and let me know where the problem lies?

Best regards,

G.

Tags: error metada ssl
Andrey Pavlov (apavlov-e)
Changed in ec2-api:
assignee: nobody → Andrey Pavlov (apavlov-e)
Revision history for this message
Andrey Pavlov (apavlov-e) wrote :

Couldn't set up devstack with SSL even for base services for now. Neither for master branch nor for ocata.
Will try later...

BTW - you can try to set 'debug=true' for more logging.
'verbose' flag doesn't work now as I know.

Revision history for this message
Andrey Pavlov (apavlov-e) wrote :

Solved.

If you want to obtain metadata via SSL you need to configure neutron:

in section DEFAULT:
nova_metadata_protocol = https

auth_ca_cert = /path/to/root/cert/if/self/signed
or
nova_metadata_protocol = https

and then you'll be able to get metadata via SSL. but anyway metadata URL still be http://169.254.169.254

Revision history for this message
Andrey Pavlov (apavlov-e) wrote :

will add this info to readme as fix of this bug

Revision history for this message
Georgios Dimitrakakis (giorgis-r) wrote :

Andrey,

thanks for providing a solution to this!

Regards,

G.

OpenStack Infra (hudson-openstack)
Changed in ec2-api:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ec2-api (master)

Reviewed: https://review.openstack.org/534288
Committed: https://git.openstack.org/cgit/openstack/ec2-api/commit/?id=ec59a03f95bba0b566ca131ae9409d5cfbd56c92
Submitter: Zuul
Branch: master

commit ec59a03f95bba0b566ca131ae9409d5cfbd56c92
Author: Andrey Pavlov <email address hidden>
Date: Tue Jan 16 15:48:52 2018 +0300

    update documentation

    remove link to metadata configuration from
    devstack section. metadata is configured by plugin's
    script for devstack and user doesn't require to
    configure it by himself.
    Add information how to configure metadata over SSL

    Change-Id: I9ecfc10fed15a73417e840ddecac8a8a56d18601
    Closes-Bug: #1739479

Changed in ec2-api:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ec2-api 7.0.0

This issue was fixed in the openstack/ec2-api 7.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.