sdn certs module

BenjiReis

Hello,

There's 2 ways to use the SDN controller as for the certificates:

• You can provide the vertificate yourself, if you arleardy have certificates, in this case you need to provide a path to the certificate directory in the plugin configuration and make sure that there is client-cert.pem, client-key.pem and ca-cert.pem in the directory
• If you don't have certificates, the SDN controller can create them, but they will be self signed. To do so you just leave the certificate configuration path empty.

Is that clear?

Regards,
Benjamin

adriangabura

Well the autogenerator dosn't work when you build from source. Apparently it lacks the said module. So how do I install the node-openssl-cert module so it works in yarn?

BenjiReis

That's strange, did you follow the official guide to build xen-orchestra from sources?
All dependencies should be installed.

BenjiReis

I've just tried locally from sources and everything went fine.

Can you try to call yarn and then yarn build at the root of xen-orchestra repository?

Thanks

adriangabura

Ok, I'll try later today, thanks for the answers!

adriangabura

Ok, I tried again, same thing. So I run sudo yarn start in xo-server directory. And I watch the logs while I try to use the certs autogenerator. This is what I get:

2019-07-29T18:20:46.778Z - xo:xo-server:sdn-controller - [DEBUG] No cert-dir provided, using default self-signed certificates
2019-07-29T18:20:46.780Z - xo:xo-server:sdn-controller - [DEBUG] No default self-signed certificates exists, creating them
2019-07-29T18:20:47.611Z - xo:xo-server:sdn-controller - [ERROR] Error while generating CA private key
{ error: false }

As I said it's not a problem per se, I'm just trying to figure out out of curiosity why it doesn't work.

olivierlambert

It could be something linked to your environment because it works on our side

But why? Hard to tell. That's exactly the main reason why we do pro support only on a controlled environment (XOA, Xen Orchestra virtual Appliance), because otherwise you could have tons of external factors that make it fails.

Double check you are on latest master commit, ideally clone it from scratch and rebuild everything. Check your Node and npm version.

BenjiReis

Hi,

I've managed to reproduce you're error. It's not a build issue.
A fix is coming right away, I'll post it here once it's merged into master so you can get it.

Thanks for the report.
Regards

olivierlambert

@BenjiReis do you know the problematic commit in question?

BenjiReis

Yes it's 5396b90695fbe2c7a5f56d72a94a208517b2d517 but its not its only modification so it can't just be reverted.
This is a really quick fix I can push a branch today and it can be used waiting for the merge.

BenjiReis

Hi!

The fix is available on master.
You should be able to generate certificate now.

olivierlambert

Well done

adriangabura

Great! Your team proves just how legendary it is once again! Thank you!

eeldivad

@BenjiReis I'm having the same problem. When I leave cert-dir empty and turn on override-certs and click "Save Configuration" then it gives me this error. This is a fresh build from ronivay's github with nothing but the basics installed. See screenshots.

ENOENT: no such file or directory, open '/var/lib/xo-server/data/sdn-controller/client-cert.pem'

Danp

@eeldivad I suggest that you run this in an ssh session to monitor the logs and then retry saving the plugin settings --

journalctl -u xo-server -f -n 50

My guess would be some type of rights issue, but I don't see this same behavior on my XO from sources VM.

eeldivad

@Danp I just checked the logs and it's the same I listed above. I installed this as non-root user with sudo rights and then i rebuilt the vm with root permissions. This is a fresh install on a fresh OS so must be a bug somewhere. The problem is it doesn't auto-generate the keys as it said it would if I don't specify a path. If I create those 3 key files in a folder and specify the path then it will save properly. But these are blank files I created as I'm not sure how to generate them myself with openssl. Does anyone happen to have the command to use? This is just a test lab so I don't want to deal with letsencrypt or external certificate authorities.
Error: ENOENT: no such file or directory, open '/var/lib/xo-server/data/sdn-controller/client-cert.pem'

Danp

@eeldivad Does the directory /var/lib/xo-server/data/sdn-controller/ exist on your VM? This directory is created for me if it doesn't already exist, and the three PEM files are stored there when I click Save Configuration.

I still suspect that you are dealing with a rights issue.

eeldivad

@Danp the folder exists. I see 2 pem files there but client-cert.pem is missing. So it looks like it tried to create the 3 pem files but failed to create the client-cert.pem. Any suggestion?

ls /var/lib/xo-server/data/sdn-controller
ca-cert.pem client-key.pem

Danp

@eeldivad It's possible that it won't recreate the missing file because the other two are present. I would remove them and then retry to process.

eeldivad

@Danp i removed those 2 files and tried again. Now it hangs when I clicked on "Save configuration"
I see this in the log when it's hanging. I waited at least 5 minutes during the hang. I also noticed those 2 files were recreated in the same folder /var/lib/xo-server/data/sdn-controller so my guess is it's hanging trying to create the 3rd file client-cert.pem

Feb 16 19:59:25 xo-server[12428]: 2025-02-16T19:59:25.434Z xo:xo-server ERROR uncaught exception {
Feb 16 19:59:25 xo-server[12428]: error: TypeError: Cannot read properties of undefined (reading 'toString')
Feb 16 19:59:25 xo-server[12428]: at ReadFileContext.callback (/opt/xo/xo-builds/xen-orchestra-202502160214/node_modules/node-openssl-cert/index.js:3032:35)
Feb 16 19:59:25 xo-server[12428]: at FSReqCallback.readFileAfterOpen [as oncomplete] (node:fs:300:13)
Feb 16 19:59:25 xo-server[12428]: at FSReqCallback.callbackTrampoline (node:internal/async_hooks:130:17)
Feb 16 19:59:25 xo-server[12428]: }