[Planetlab-devel] peering planetlab and planetlabeurope - status
Thierry Parmentelat
Thierry.Parmentelat at sophia.inria.fr
Fri Jun 22 17:30:40 EDT 2007
Hi all
As a quick update on the federation attempt between planetlab and
planetlabeurope,
We have installed our certificates and Tony and I made the various
configurations on both ends.
However the SSL connections work in one way only, and we have just
figured that a change had been done in the production version of
PyCurl.py, and this change prevents the peer cacert mechanism from
working properly.
It is not clear yet what issue this change was addressing; apparently,
Faiyaz could be the one who made that change, so I will come back to him
and Tony as soon as Faiyaz is back on monday.
For the record, I'm attaching a few notes that I've been taking while
setting up the peering, including installing SSL certificates, exporting
GPG keys, and tracking down SSL certification issues.
-- Thierry
-------------- next part --------------
############################################################ part 1. installating ssl certificates
########## started from
# ls -l
total 20
-rw-r--r-- 1 arkazam users 1208 Jun 21 10:24 www.planet-lab.eu.crt
-rw-r--r-- 1 arkazam users 643 Jun 21 10:24 www.planet-lab.eu.csr
-rw-r--r-- 1 arkazam users 887 Jun 21 10:24 www.planet-lab.eu.key
-rw-r--r-- 1 arkazam users 178 Jun 21 10:24 www.planet-lab.eu.req
the .req holds the request-generation sentence
the .csr is the request sent to the CA
the .key is the private key
the .crt is the returned certificate
# mkdir backup
# cp *.??? backup
########## identified the issuer
# openssl x509 -in www.planet-lab.eu.crt -text > www.planet-lab.eu.txt
# grep -i issuer www.planet-lab.eu.txt
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
########## locating the CAcert
our provider is known as geotrust
browsed a bit the geotrust website and found
http://www.geotrust.com/resources/root_certificates/index.asp
located the right one based on the above
# curl -O https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer
# ls -l
total 28
drwxr-xr-x 2 root root 240 Jun 21 15:38 backup
-rw-r--r-- 1 root root 964 Jun 21 15:42 Equifax_Secure_Global_eBusiness_CA-1.cer
-rw-r--r-- 1 arkazam users 1208 Jun 21 10:24 www.planet-lab.eu.crt
-rw-r--r-- 1 arkazam users 643 Jun 21 10:24 www.planet-lab.eu.csr
-rw-r--r-- 1 arkazam users 887 Jun 21 10:24 www.planet-lab.eu.key
-rw-r--r-- 1 arkazam users 178 Jun 21 10:24 www.planet-lab.eu.req
-rw-r--r-- 1 root root 3689 Jun 21 15:41 www.planet-lab.eu.txt
########## verifying
# openssl verify -CAfile Equifax_Secure_Global_eBusiness_CA-1.cer www.planet-lab.eu.crt
www.planet-lab.eu.crt: OK
NOTE. if this verification fails, the plc initscript will (silently) regenerate new keys.
also note that this CA probably is in the openssl bundle:
# openssl verify www.planet-lab.eu.crt
www.planet-lab.eu.crt: OK
########## installing in /etc/planetlab
# ssl=$(pwd)
# pushd /etc/planetlab/
# mkdir certificates-trash
# cp *.crt *.key certificates-trash/
# for i in *.key ; do cp $ssl/www.planet-lab.eu.key $i; done
# for i in *_ca_ssl.crt; do cp $ssl/Equifax_Secure_Global_eBusiness_CA-1.cer $i ; done
# for i in $(ls *.crt | grep -v _ca_ssl); do cp $ssl/www.planet-lab.eu.crt $i ; done
# ls -l *.{key,crt}
-rw-r--r-- 1 root root 964 Jun 21 15:46 api_ca_ssl.crt
-rw-r--r-- 1 root root 1208 Jun 21 15:47 api_ssl.crt
-rw-r--r-- 1 root root 887 Jun 21 15:45 api_ssl.key
-rw-r--r-- 1 root root 964 Jun 21 15:46 boot_ca_ssl.crt
-rw-r--r-- 1 root root 1208 Jun 21 15:47 boot_ssl.crt
-rw-r--r-- 1 root root 887 Jun 21 15:45 boot_ssl.key
-rw-r--r-- 1 root root 964 Jun 21 15:46 www_ca_ssl.crt
-rw-r--r-- 1 root root 1208 Jun 21 15:47 www_ssl.crt
-rw-r--r-- 1 root root 887 Jun 21 15:45 www_ssl.key
# md5sum $ssl/*.{cer,key,crt} *.{key,crt}
6c4c4791d77d8848f0907511a0bf686e /home/arkazam/ssl/Equifax_Secure_Global_eBusiness_CA-1.cer
7044983b3011143b0e54e9aa706024d0 /home/arkazam/ssl/www.planet-lab.eu.key
7351d8815d62c0cc16fb03dbbd040402 /home/arkazam/ssl/www.planet-lab.eu.crt
7044983b3011143b0e54e9aa706024d0 api_ssl.key
7044983b3011143b0e54e9aa706024d0 boot_ssl.key
7044983b3011143b0e54e9aa706024d0 www_ssl.key
6c4c4791d77d8848f0907511a0bf686e api_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 api_ssl.crt
6c4c4791d77d8848f0907511a0bf686e boot_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 boot_ssl.crt
6c4c4791d77d8848f0907511a0bf686e www_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 www_ssl.crt
########## restart plc
# service plc restart
########## checking the files were not overwritten by the initscript
# md5sum $ssl/*.{cer,key,crt} *.{key,crt}
6c4c4791d77d8848f0907511a0bf686e /home/arkazam/ssl/Equifax_Secure_Global_eBusiness_CA-1.cer
7044983b3011143b0e54e9aa706024d0 /home/arkazam/ssl/www.planet-lab.eu.key
7351d8815d62c0cc16fb03dbbd040402 /home/arkazam/ssl/www.planet-lab.eu.crt
7044983b3011143b0e54e9aa706024d0 api_ssl.key
7044983b3011143b0e54e9aa706024d0 boot_ssl.key
7044983b3011143b0e54e9aa706024d0 www_ssl.key
6c4c4791d77d8848f0907511a0bf686e api_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 api_ssl.crt
6c4c4791d77d8848f0907511a0bf686e boot_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 boot_ssl.crt
6c4c4791d77d8848f0907511a0bf686e www_ca_ssl.crt
7351d8815d62c0cc16fb03dbbd040402 www_ssl.crt
########## checking installation
used firefox browser, cleaned certificates formerly attached to www.planet-lab.eu
pointed to https://www.planet-lab.eu/ => I am getting the closed lock right away, no question asked
pointed to https://planet-lab.eu/ => I am warned, the certificate being assigned to www.planet-lab.eu
############################################################ part 2. installating GPG material
NOTE.
There was a trial peering in place between
www.planet-lab.org and onelab-plc.inria.fr
so for making the move simpler I decided to re-use the GPG material from the latter site, that is going to get turned off very shortly anyway
For the record, on that previous plc I had
* just started plc the usual way
* then produced an export of the gpg material by typing
# mkdir /tmp/foo
# gpg --secret-keyring=/etc/planetlab/secring.gpg --keyring=/etc/planetlab/pubring.gpg --homedir=/tmp/foo --export --armor > /var/www/html/download/Onelab-Public-Key
so back on planet-lab.eu:
# cd /etc/planetlab
# cp *.gpg certificates-trash/
# scp root at onelab-plc.inria.fr:/etc/planetlab/\*.gpg .
# scp root at onelab-plc.inria.fr:/plc/data/var/www/html/download/Onelab-Public-Key /plc/data/var/www/html/download/PlanetLabEurope-Public-Key
############################################################# part 3. Creating the peering on PlanetLab Europe
* saving former information from onelab-plc.inria.fr
<1lab-plc> -bash-3.00# plcsh
PlanetLab Central Direct API Access
Type "system.listMethods()" or "help(method)" for more information.
>>> open('/etc/planetlab/PlanetLab.cacert','w').write(GetPeers(['PlanetLab'])[0]['cacert'])
>>> open('/etc/planetlab/PlanetLab.key','w').write(GetPeers(['PlanetLab'])[0]['key'])
>>>
<1lab-plc> -bash-3.00# ls -l /etc/planetlab/PlanetLab.*
-rw-r--r-- 1 root root 4603 Jun 21 14:25 /etc/planetlab/PlanetLab.cacert
-rw-r--r-- 1 root root 1320 Jun 21 14:25 /etc/planetlab/PlanetLab.key
NOTE.
* I think I remember the GPG key was available at http://www.planet-lab.org/download/PlanetLab-Public-Key
* back on planet-lab.eu
# pwd
/etc/planetlab
# scp root at onelab-plc.inria.fr:/etc/planetlab/PlanetLab.\* .
# chroot /plc/root plcsh
>>> AddPeer({'peername':'PlanetLab','peer_url':'https://www.planet-lab.org/PLCAPI/','cacert':open('/etc/planetlab/PlanetLab.cacert').read(),'key':open('/etc/planetlab/PlanetLab.key').read()})
1
############################################################ part4. Creating the other end's peer
curl -o /etc/planetlab/PlanetLabEurope.cacert https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer
curl -o /etc/planetlab/PlanetLabEurope.key https://www.planet-lab.eu/download/PlanetLabEurope-Public-Key
and then
AddPeer({'peername':'PlanetLabEurope', 'peer_url':'https://www.planet-lab.eu/PLCAPI/', 'cacert':open('/etc/planetlab/PlanetLabEurope.cacert').read(), 'key':open('/etc/planetlab/PlanetLabEurope.key').read()})
############################################################ part 5. checking
chroot /plc/root plcsh
>>> peer=GetPeers('PlanetLab')[0]
>>> peer.connect()
>>> peer.GetPeerName()
==========
europe->princeton : OK
princeton->europe : get SSL certificate validation failed
========== first level check
= manual check -- from planetlabeurope
<plc> -bash-3.00# curl --cacert /etc/planetlab/PlanetLab.cacert https://www.planet-lab.org/PLCAPI/
<html><head>
<title>PLCAPI XML-RPC/SOAP Interface</title>
</head><body>
<h1>PLCAPI XML-RPC/SOAP Interface</h1>
<p>Please use XML-RPC or SOAP to access the PLCAPI.</p>
</body></html>
========== second level check
= I wrote a simple script named check-ssl-peering.py
(right now it's not under svn, I'll probably get it packaged under myplc at some point)
<plc> -bash-3.00# check-ssl-peering.py
usage: check-ssl-peering.py [options] local-peername remote-peername cacert hostname [ .. hostname ]
options:
-h, --help show this help message and exit
-s PLC_ROOT_GPG_KEY, --secret=PLC_ROOT_GPG_KEY
local GPG secret ring
-p PLC_ROOT_GPG_KEY_PUB, --public=PLC_ROOT_GPG_KEY_PUB
local GPG public ring
e.g. from onelab-plc.inria.fr
<plc> -bash-3.00# check-ssl-peering.py OneLabPrivate OneLab onelab-plc.inria.fr-ca.crt onelab-plc.inria.fr && echo OK
...
OK
e.g. from planet-lab.eu
<plc> -bash-3.00# check-ssl-peering.py PlanetLabEurope PlanetLab PlanetLab.cacert www.planet-lab.org &>/dev/null && echo OK
OK
========== third level check
- modified Peers.py so that connect() passes verbose=True to the ProxyServer creator
- modified PyCurl so errmsg gets printed when the SSL exception gets raised
this way we eventually figured that the 'cacert' field in the Peer object was just dropped by PyCurl that was hard-coded to use the default bundle
from /etc/pki/tls/certs/ca-bundle.crt - bingo
More information about the Devel
mailing list