Re: [OVSDB-TLS] Probe failed to OVSDB switch.


Mohamed ElSerngawy
 

Hi Vamsikrishna,

- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.

- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
 
curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
      "aaa-cert-rpc:input": {
        "aaa-cert-rpc:node-alias": "ovs1"
      }
    }'   "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"

I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request. 

BR

On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:

Hi Mohamed & Jamo,

 

Thanks for your response J

 

Also sometimes I see below errors in ODL and OVS logs:

 

D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]

-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library - 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]

 

 

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log

2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640: connecting...

2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)

2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$

 

Please find my answers inline.

 

Regards,

Vamsi

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>; ovsdb-dev@....org
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be not confused with ur other emails).

[Vamsi] Yes

 

Let's do the troubleshooting:

 

  1. in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.

[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS

 

  1. Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.

[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown

 

 

I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know

 

[Vamsi] I am using master.

 

 

 

Thank

 

-----

 

Thanks Jamo

 

 

On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...> wrote:

sending again with Mahamed's gmail address


On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>  
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>  
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>  
>>
>> I am seeing below error in ODL logs:
>>
>>  
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>  
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>  
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> *    Manager "ssl:192.168.56.1:6640"*
>>
>>     Bridge br-ex
>>
>>         Controller "ssl:192.168.56.1:6653"
>>
>>        Port br-ex
>>
>>             Interface br-ex
>>
>>                 type: internal
>>
>>     ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>  
>>
>> Can you please help me out in fixing this issue ?
>>
>>  
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>  
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@....org
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>

 


Join z.archive.ovsdb-dev@lists.opendaylight.org to automatically receive all group messages.