Red Hat Bugzilla – Bug 478472
RFE: condor_amazon cannot use SSL CA certs under /etc
Last modified: 2011-06-15 11:18:44 EDT
Created attachment 327973 [details]
test code changes to condor_amazon to set /etc/pki/tls/certs in gSOAP client context
Description of problem:
condor_amazon fails with "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed", unless AMAZON_EC2_URL is set to unsecured http://ec2.amazonaws.com (no https)
Version-Release number of selected component (if applicable): Condor 7.2.0
How reproducible: Always
Steps to Reproduce:
1. leave AMAZON_EC2_URL unset so that default https://ec2.amazonaws.com is used
2. Submit a grid universe, amazon job
3. Observe /tmp/AmazonGahpLog.<username> for the errors
Actual results: Job stays in idle state forever with errors logged in /tmp/AmazonGahpLog.<username>
Expected results: Job should move to running state
Tested it with Condor 7.2.0 binaries from http://www.cs.wisc.edu and not with those of MRG.
Fix should be to accept a configuration parameter for cafile/capath. Attached a diff file indicating test fix that works (no negative testing, no configuration parameter)
Given below is the snippet from /tmp/AmazonGahpLog.<username>
12/21 12:45:53 AMAZON-GAHP initialized
12/21 12:45:53 got stdin: COMMANDS
12/21 12:45:53 got stdin: ASYNC_MODE_ON
12/21 12:45:53 got stdin: AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem
12/21 12:45:53 Sending AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem to worker 1
12/21 12:45:53 AmazonVMStatusAll workerFunction is called
12/21 12:45:54 Call to DescribeInstances failed: SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Detail: SSL connect failed in tcp_connect()
12/21 12:45:54 Command(AMAZON_VM_STATUS_ALL) got error(code:Client,msg:SSL_ERROR_SSL
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
12/21 12:45:54 CMD("AMAZON_VM_STATUS_ALL 2 /home/sateesh/.ec2/cert-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem /home/sateesh/.ec2/pk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pem") is done with result 2 1
Client SSL_ERROR_SSL\ error:14090086:SSL\ routines:SSL3_GET_SERVER_CERTIFICATE:certificate\ verify\ failed
12/21 12:45:54 got stdin: RESULTS
I need more details about your setup in order to reproduce this issue. Are you going through a proxy to contact EC2? I assume so since this ticket is similar to 478475.
What is your proxy configuration?
(In reply to comment #1)
> I need more details about your setup in order to reproduce this issue. Are you
> going through a proxy to contact EC2? I assume so since this ticket is similar
> to 478475.
> What is your proxy configuration?
The other ticket is related to proxy. This one is related to condor configurable to use proper CA certificate files. This problem can be reproduced without a proxy by using https://ec2.amazonaws.com as AMAZON_EC2_URL.
Can you try again with 7.3.2? I'm attempting to reproduce this on a pre-7.4.0 build but I'm not finding an issue. All my EC2 jobs get to AWS without a problem. If it still fails for you, can you provide a relevant config snipet from your config file?
Also, can you provide information about the SSL cert AWS is giving you?
amazon_gahp deprecated for ec2_gahp