Join us at engage.eucalyptus.com
I am trying to setup a private cloud using UEC
I am setting up using the documention provided in
http://open.eucalyptus.com/wiki/EucalyptusInstallationUbuntuJaunty_v1.6
I am using 2 machines for the setup
Machine 1 is running Ubuntu Desktop Edition 10.04 (64 bit). This I am using as front end
Machine 2 is running Ubuntu Desktop Edition 10.04 (64 bit). This as node controller
In Front End
I have registered walrus,cluster,storage controller with front-end IP address
I have also registered node with Node IP address
Then we tried https://front-end-ip:8443
We got the following Connection untrusted
In Technical details
Certificate is untrusted because its self-signed)
(Error code:sec_error_expired_issuer_certificate)
We add an exception and selected get certificate button & confirm the security exception.
In the Certificate viewer it shows could not verify because it has expired
validity Thursday 08 september 2011
expires on Thursday 08 september 2016
( but our system time is august 8 )
After adding exception we got the Web User Interface but on store tab it shows the following error
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none
Arun -
I'm having the same exact issue.
I've spent over 2 weeks now trying to get my cloud installation up and running. Yesterday, I was able to access the store and download images. But due to other configuration issues, I reinstalled Eucalyptus using the UEC 11.04 cloud install and then updated and upgraded my installation.
Now I'm getting the same error and there doesn't appear to be anything online about how to fix it anywhere.
I'm guessing it may have to do with upgrading the system and tomorrow am going to try another fresh install with no upgrades.
Have you made any progress?
.... and I am having several UEC private cloud installations (all based on 11.04), and the same issue is present on all of my cloud installations.
Well, it's nice to know I'm not the only one....
Arun and Zoran - Did you both update/upgrade your Ubuntu installations?
I'm wondering if some new update may have introduced this issue.
My knowledge of what's happening when you click on the store tab is very limited...since I can't find the EMI images anywhere on my machine, I'm assuming my machine is going out to the Internet and getting them from some location.
Eucalyptus staff - Is there somewhere we can download those images directly instead of going through the store?
How does the store "work"?
And is this an issue with the web server that is storing the images (meaning not a problem we are introducing)? Or some configuration issue on our end?
I'm so close to having a running cloud...
Ok.
So I managed to get an old version of a Cloud Controller working and looked at the requests the working and non-working Cloud Controllers were sending on the status page.
Here is the non-working request:
5|0|11|https://xx:xx:xx:xx8443/|D9E37FD3148FA094448DA7797BAA61F2|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService|requestJSON|java.lang.String|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Method|[Ledu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Parameter;|d4e7842e-4366-4c06-8969-088fb84e148e|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Method/4272089282|http://localhost:52780/api/states|[Ledu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Parameter;/3900275228|1|2|3|4|4|5|6|5|7|8|9|1|10|11|0|
Here is the working request:
5|0|19|https://xx.xx.xx.xx:8443/|D9E37FD3148FA094448DA7797BAA61F2|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService|requestJSON|java.lang.String|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Method|[Ledu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Parameter;|361ac726-e5d2-481b-a353-6a566b3f4b35|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Method/4272089282|http://localhost:52780/api/states|[Ledu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Parameter;/3900275228|edu.ucsb.eucalyptus.admin.client.extensions.store.ImageStoreService$Parameter/3480488643|image-uri|https://imagestore.canonical.com/api/images/karmic-amd64-20091027|https://imagestore.canonical.com/api/images/karmic-i386-20091027|https://imagestore.canonical.com/api/images/lucid-amd64-20100427.1|https://imagestore.canonical.com/api/images/lucid-i386-20100427.1|https://imagestore.canonical.com/api/images/mdb-appliance-20100120|https://imagestore.canonical.com/api/images/mediawiki-demo-i386-0.1|1|2|3|4|4|5|6|5|7|8|9|1|10|11|6|12|13|14|12|13|15|12|13|16|12|13|17|12|13|18|12|13|19|
Clearly, my "broken" installation is not sending the same information to the image server. Why...I'm still trying to track down.
So if your store isn't working (still can't figure out why), you should be able to just download the necessary parts by following the URLs in the working "response":
//OK[1,["{\"states\": [{\"status\": \"uninstalled\", \"actions\": {\"install\": \"http://localhost:52780/api/images/aHR0cHM6Ly9pbWFnZXN0b3JlLmNhbm9uaWNhbC5jb20vYXBpL2ltYWdlcy9rYXJtaWMtYW1kNjQtMjAwOTEwMjc=/install\"}, \"image-uri\": \"https://imagestore.canonical.com/api/images/karmic-amd64-20091027\"}, {\"status\": \"installed\", \"eki\": \"eki-F3BD10E3\", \"image-uri\": \"https://imagestore.canonical.com/api/images/karmic-i386-20091027\", \"emi\": \"emi-DD6E105C\", \"actions\": {}, \"eri\": \"eri-07FC1141\"}, {\"status\": \"uninstalled\", \"actions\": {\"install\": \"http://localhost:52780/api/images/aHR0cHM6Ly9pbWFnZXN0b3JlLmNhbm9uaWNhbC5jb20vYXBpL2ltYWdlcy9sdWNpZC1hbWQ2NC0yMDEwMDQyNy4x/install\"}, \"image-uri\": \"https://imagestore.canonical.com/api/images/lucid-amd64-20100427.1\"}, {\"status\": \"uninstalled\", \"actions\": {\"install\": \"http://localhost:52780/api/images/aHR0cHM6Ly9pbWFnZXN0b3JlLmNhbm9uaWNhbC5jb20vYXBpL2ltYWdlcy9sdWNpZC1pMzg2LTIwMTAwNDI3LjE=/install\"}, \"image-uri\": \"https://imagestore.canonical.com/api/images/lucid-i386-20100427.1\"}, {\"status\": \"uninstalled\", \"actions\": {\"install\": \"http://localhost:52780/api/images/aHR0cHM6Ly9pbWFnZXN0b3JlLmNhbm9uaWNhbC5jb20vYXBpL2ltYWdlcy9tZGItYXBwbGlhbmNlLTIwMTAwMTIw/install\"}, \"image-uri\": \"https://imagestore.canonical.com/api/images/mdb-appliance-20100120\"}, {\"status\": \"uninstalled\", \"actions\": {\"install\": \"http://localhost:52780/api/images/aHR0cHM6Ly9pbWFnZXN0b3JlLmNhbm9uaWNhbC5jb20vYXBpL2ltYWdlcy9tZWRpYXdpa2ktZGVtby1pMzg2LTAuMQ==/install\"}, \"image-uri\": \"https://imagestore.canonical.com/api/images/mediawiki-demo-i386-0.1\"}]}"],0,5]
For example, the karmic i386 link above points to:
https://imagestore.canonical.com/api/images/karmic-i386-20091027
Once accepting the certificate, that shows a page listing the individual needed components:
Image: http://imagestore.canonical.com/files/karmic-i386-20091027/image.tar.gz
Kernel: http://imagestore.canonical.com/files/karmic-i386-20091027/kernel
Ramdisk: http://imagestore.canonical.com/files/karmic-i386-20091027/ramdisk
From the contents above you know what to assign for eri, emi, and eki codes.
So you can manually add images to the cloud. Still would be nice to get the store working though.
I did update Eucalyptus, but that was immediately after the install, and this issue came afterwards.
I don't remember proactivelly updating things, and I turn the automatic updates off as default.
Funny that it come at the same time for several of the clouds I installed.
So it turns out the error is being thrown by the Python-based Image Server Proxy.
You can see this process running (ps aux | grep proxy) and it will tell you where it's keeping it's log file.
Viewing the log file you see the same error that appears in web interface. I compared the ca-certifiates.crt file that was on my working cloud controller with the one on my non-working cloud controller and they were identical.
Does anybody know what a CRLfile is? Or if that's even needed?
[quote=zoran]I did update Eucalyptus, but that was immediately after the install, and this issue came afterwards.
I don't remember proactivelly updating things, and I turn the automatic updates off as default.
Funny that it come at the same time for several of the clouds I installed.[/quote]
It is odd that many are being affected by the same thing...makes me think it's something out of our control...like the Canoncial server or some other intermediate site changed their certificate but we have outdated certs in our stores.
Doing a completely fresh, clean install using UEC 11.04 and am going to see if the Store works before I do anything else to the machine at all.
I googled to a blog where they said one should update certificates:
sudo update-ca-certificates
but that didn't help.
Since images menu "looks into" images repository, from where the images are being downloaded.
Alright, to make sure I didn't screw things up, I did a fresh UEC 11.04 server install with cloud, sc, cc, and walrus.
Installation process went fine.
As soon as the system started up, I went to the website and the Store tab. Still getting the Error 60 message.
This definitely leads me to believe that this issue is now an external/3rd party issue because this same installation DC worked without flaw 4 days ago.
I'm going to perform a full system update/upgrade and see if that resolves anything.
If not, I can only assume that whatever website or webpages the Image Server Proxy was attempting to access has somehow changed or modified things (possibly its cert) such that the default UEC 11.04 install no longer works.
If anybody else has performed a recent UEC 11.04 install and gotten the Cloud image store to work, please post and let us know...Thanks!
[Fri Aug 19 00:33:31 2011] [error] error.c(94) OXS ERROR [x509.c:287 in openssl_x509_get_subject_key_identifier] oxs defualt error , The extenension index of NID_subject_key_identifier is not valid
I don't know if it is related to the issue.
Tried apt-get update/upgrade on the clean installation. Still no success...
Few more things left to try...
I tried just about everything I can think of...I'm not sure what's causing this error specifically or how to fix it.
I just downloaded the image, kernel, and ramdisk from the URL above and followed the directions in the Eucalyptus Beginner's Guide: http://cssoss.files.wordpress.com/2010/12/eucabookv2-0.pdf
to register a Linux image.
It worked and I can now create instances. If anyone solves this issue, please post!
I'm too getting the same error
ERROR 60 : Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Pls help... Would be great if someone comes up with a solution...
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
I have tried for several hours to figure out which server certificate that is invalid or where the image-proxy makes the call. Anyone that has a hint on resolving this?
WARNING: the change disables certificate validation. Use at your own risk!!
Until PycURL is fixed you can edit file /usr/lib/python2.7/dist-packages/imagestore/lib/fetch.py
on fetch method after the line 142
add
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
Restart the image-store-proxy
Do you know when this might be fixed for good?
On a clean system if you do wget https://imagestore.canonical.com you get an error about the certificate, but that can be fixed by updating godaddy certificates:
sudo wget -P /usr/local/share/ca-certificates/ --no-check-certificate https://certs.godaddy.com/repository/gd-class2-root.crt https://certs.godaddy.com/repository/gd_intermediate.crt https://certs.godaddy.com/repository/gd_cross_intermediate.crt
sudo update-ca-certificates
After that you can do wget https://imagestore.canonical.com and the certificate is trusted BUT I don't know why curl is not able to validate the certificate so it's probably an issue with curl setup. Maybe the godaddy certificate certificate needs to be converted.
There is another forum thread in http://ubuntuforums.org/showthread.php?p=11224228#post11224228 about the same issue.
Same issue here after a vanilla install of 11.04 and I can't get to the store without the following error:
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none
Hello,
UEC is built on top of Eucalyptus and the UEC store is an addition to make it easy to install images. We (eucalyptus systems) don't control the image store: there is already a thread on the ubuntu forum http://ubuntuforums.org/showthread.php?t=1837612 about this which is probably the best place to follow up.
I'm not sure how to get directly to the image store and download images: we do provide some starter images at http://open.eucalyptus.com/wiki/EucalyptusUserImageCreatorGuide which can be downloaded directly: instructions how to bundle upload and register images are linked in the same documents.
cheers
graziano
Guys,
I don't see a solid solution for this issue yet. A fresh installation to install images, I still see the error no matter what I modified. Where is this bug coming from and what steps to take in action?
Thanks in advance
Gokhan Gun
Guys,
I don't see a solid solution for this issue yet. A fresh installation to install images, I still see the error no matter what I modified. Where is this bug coming from and what steps to take in action?
Thanks in advance
Leungffy
I was also almost desperate until I found this link:
http://realmike.org/blog/2011/01/02/ssl-certificate-error-with-gwibber-a...
The problem is that the certificate of canonical, which is signed by Godaddy, is not trusted by the host (all the trusted CA is listed in the /etc/ssl/certs, and our CLC host cannot find this certificate in the trusted list). So what we need to do is to download the certificate of imagestore.canonical.com, and add it to the trusted list (it's not CA, but it's fine, just like when browsing the website you add an exception).
So first you go to https://imagestore.canonical.com/. The page cannot be found but it doesn't matter. If you are using Firefox, you can click the left side of the url, or if you see any small lock indicating that you can view the certificate file, click it and export the file to the server (the cloud controller). Then follow the reference link, copy the certificate to /usr/share/ca-certificates/; run "sudo dpkg-reconfigure ca-certificates" to install it. Then check your website again and you will see the list of the images appearing in the "store" page :DDDDDD
Use at your own risk
1. cd /usr/lib/python2.6/dist-packages/imagestore/lib/
2. cp fetch.py fetch.py_orginal
3. sudo vim fetch.py
after line number 143 add below 2 lines
##############################################
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
##############################################
4. sudo wget -P /usr/local/share/ca-certificates/ --no-check-certificate https://certs.godaddy.com/repository/gd-class2-root.crt https://certs.godaddy.com/repository/gd_intermediate.crt https://certs.godaddy.com/repository/gd_cross_intermediate.crt
5. sudo update-ca-certificates
6. sudo service image-store-proxy restart
ref:-http://superuser.com/questions/327471/why-do-i-get-a-certificate-error-trying-to-setup-a-ubuntu-cloud
orginal post
Quick and insecure fix WARNING: the change disables certificate validation. Use at your own risk!!
Until PycURL is fixed you can edit file /usr/lib/python2.7/dist-packages/imagestore/lib/fetch.py on fetch method after the line 142 add
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
Restart the image-store-proxy
And also update godaddy certificates for wget and alike:
sudo wget -P /usr/local/share/ca-certificates/ --no-check-certificate
https://certs.godaddy.com/repository/gd-class2-root.crt https://certs.godaddy.com/repository/gd_intermediate.crt https://certs.godaddy.com/repository/gd_cross_intermediate.crt
sudo update-ca-certificates
Hello everyone,
Are there any news on that subject? I also face the same error, and so far I have tried everything listed in the post except for those changes in fetch.py.
Thanks a lot!
Hi guys,
I'm new guy of UEC.
I'm now try to deploy a private cloud in my virtual machine.
After install UEC, I go to 'store' tab and got this message
Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Any help?