Bug 478472 - RFE: condor_amazon cannot use SSL CA certs under /etc
RFE: condor_amazon cannot use SSL CA certs under /etc
Status: CLOSED WONTFIX
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: grid (Show other bugs)
1.1
All Linux
low Severity medium
: 2.0
: ---
Assigned To: Robert Rati
Luigi Toscano
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-30 13:56 EST by Sateesh Potturu
Modified: 2011-06-15 11:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-15 11:18:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test code changes to condor_amazon to set /etc/pki/tls/certs in gSOAP client context (2.57 KB, patch)
2008-12-30 13:56 EST, Sateesh Potturu
no flags Details | Diff

  None (edit)
Description Sateesh Potturu 2008-12-30 13:56:03 EST
Created attachment 327973 [details]
test code changes to condor_amazon to set /etc/pki/tls/certs in gSOAP client context

Description of problem:
condor_amazon fails with "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed", unless AMAZON_EC2_URL is set to unsecured http://ec2.amazonaws.com (no https)

Version-Release number of selected component (if applicable): Condor 7.2.0


How reproducible: Always


Steps to Reproduce:
1. leave AMAZON_EC2_URL unset so that default https://ec2.amazonaws.com is used
2. Submit a grid universe, amazon job
3. Observe /tmp/AmazonGahpLog.<username> for the errors
  
Actual results: Job stays in idle state forever with errors logged in /tmp/AmazonGahpLog.<username>


Expected results: Job should move to running state


Additional info:
Tested it with Condor 7.2.0 binaries from http://www.cs.wisc.edu and not with those of MRG.

Fix should be to accept a configuration parameter for cafile/capath. Attached a diff file indicating test fix that works (no negative testing, no configuration parameter)

Given below is the snippet from /tmp/AmazonGahpLog.<username>
12/21 12:45:53 AMAZON-GAHP initialized
12/21 12:45:53 got stdin: COMMANDS
12/21 12:45:53 got stdin: ASYNC_MODE_ON
12/21 12:45:53 got stdin: AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem
12/21 12:45:53 Sending AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem to worker 1
12/21 12:45:53 AmazonVMStatusAll workerFunction is called
12/21 12:45:54 Call to DescribeInstances failed: SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"SSL_ERROR_SSL
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Detail: SSL connect failed in tcp_connect()
12/21 12:45:54 Command(AMAZON_VM_STATUS_ALL) got error(code:Client,msg:SSL_ERROR_SSL
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
12/21 12:45:54 CMD("AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem") is done with result 2 1
Client SSL_ERROR_SSL\ error:14090086:SSL\ routines:SSL3_GET_SERVER_CERTIFICATE:certificate\ verify\ failed
12/21 12:45:54 got stdin: RESULTS
Comment 1 Robert Rati 2009-09-30 10:47:52 EDT
I need more details about your setup in order to reproduce this issue.  Are you going through a proxy to contact EC2?  I assume so since this ticket is similar to 478475.

What is your proxy configuration?
Comment 2 Sateesh Potturu 2009-10-11 04:36:08 EDT
(In reply to comment #1)
> I need more details about your setup in order to reproduce this issue.  Are you
> going through a proxy to contact EC2?  I assume so since this ticket is similar
> to 478475.
> 
> What is your proxy configuration?  

The other ticket is related to proxy. This one is related to condor configurable to use proper CA certificate files. This problem can be reproduced without a proxy by using https://ec2.amazonaws.com as AMAZON_EC2_URL.
Comment 3 Robert Rati 2009-10-12 16:18:09 EDT
Can you try again with 7.3.2?  I'm attempting to reproduce this on a pre-7.4.0 build but I'm not finding an issue.  All my EC2 jobs get to AWS without a problem.  If it still fails for you, can you provide a relevant config snipet from your config file?
Comment 4 Robert Rati 2009-10-12 16:50:04 EDT
Also, can you provide information about the SSL cert AWS is giving you?
Comment 6 Matthew Farrellee 2011-06-15 11:18:44 EDT
amazon_gahp deprecated for ec2_gahp

Note You need to log in before you can comment on or make changes to this bug.