Setting network.ovn.ca_cert, network.ovn.client_cert, network.ovn.client_key

zalmarge · November 27, 2024, 5:46pm

How should one set the network.ovn.ca_cert, network.ovn.client_cert, network.ovn.client_key?

I have a functioning OVN network on three machines, communicating over SSL:

root@incus-1:~# ovn-nbctl \
    -p /etc/ovn/ovn-incus-key.pem \
    -c /etc/ovn/ovn-incus.pem \
    -C /etc/ovn/ca.pem \
    --db ssl:10.170.3.32:6641,ssl:10.170.3.52:6641,ssl:10.170.3.40:6641 \
    ls-add foo

root@incus-2:~# ovn-nbctl \
    -p /etc/ovn/ovn-incus-key.pem \
    -c /etc/ovn/ovn-incus.pem \
    -C /etc/ovn/ca.pem \
    --db ssl:10.170.3.32:6641,ssl:10.170.3.52:6641,ssl:10.170.3.40:6641  \
    ls-list

16b25547-788f-4be6-b9b3-b4ec3cd1168e (foo)

I have formed a cluster with latest Incus LTS 6.0.2, created an uplink network. If I try to create an OVN network on top of it, it complains about missing certs which is OK:

root@incus-1:~# incus network create default --type=ovn network=uplink
Error: Failed loading network: Failed to connect to OVN: OVN is configured to use SSL but no client certificate was found

But if I try to set certs I receive an error too:

root@incus-1:~# incus config set \
    network.ovn.ca_cert=/etc/ovn/ca.pem \
    network.ovn.client_cert=/etc/ovn/ovn-incus.pem \
    network.ovn.client_key=/etc/ovn/ovn-incus-key.pem

Error: failed to notify peer 10.170.3.52:8443: tls: failed to find any PEM data in certificate input

If I simply create symlinks matching the default values (and pointing to exactly same certs):

root@incus-1:~# ls -l /etc/ovn/{ovn-central.crt,cert_host,key_host}
lrwxrwxrwx 1 root root 13 Nov 27 19:27 /etc/ovn/cert_host -> ovn-incus.pem
lrwxrwxrwx 1 root root 17 Nov 27 19:27 /etc/ovn/key_host -> ovn-incus-key.pem
lrwxrwxrwx 1 root root  6 Nov 27 19:27 /etc/ovn/ovn-central.crt -> ca.pem

then after restarting Incus I can create the network. But even after that I still cannot change OVN certs:

root@incus-1:~# incus config set \
    network.ovn.ca_cert=/etc/ovn/ca.pem \
    network.ovn.client_cert=/etc/ovn/ovn-incus.pem \
    network.ovn.client_key=/etc/ovn/ovn-incus-key.pem

Error: failed to notify peer 10.170.3.52:8443: tls: failed to find any PEM data in certificate input

I’m almost certain I’m doing something stupidly wrong, but… but what?

Using the latest LTS from Zabbly repo on Ubuntu 24.04 with latest updates.

Thanks.

stgraber · November 27, 2024, 11:24pm

It needs to be set to the content of those files, not to the path.

stgraber · November 27, 2024, 11:25pm

incus config set \
    network.ovn.ca_cert="$(cat /etc/ovn/ca.pem)" \
    network.ovn.client_cert="$(cat /etc/ovn/ovn-incus.pem)" \
    network.ovn.client_key="$(cat /etc/ovn/ovn-incus-key.pem)"