Certificate validation in between services
31 views
Skip to first unread message
itz.feli...@gmail.com
Jan 4, 2021, 2:35:33 PM1/4/21
to Opencast Users
If you wonder after a recent update why you get messages like "Unable to reach org.opencastproject.assetmanager@https://you-testing-instance", this is because Opencast now (commit 4225bf90af7455 ) checks certificate and hostname validity.
Since running a testing instance with HTTPS proxies not always allows for certificates issued by someone, here is how to add a custom cert to Java's Trust Store.
-----BEGIN CERTIFICATE-----
MIIGJzCCBA+gAw...
...O6g==
-----END CERTIFICATE-----
EOL
keytool -import -noprompt -trustcacerts -alias testing_root -file /tmp/testing.crt -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts
rm /tmp/testing.crt
Working HTTPS is probably preferred, if you can afford that.
-- Felix
itz.feli...@gmail.com
Jan 6, 2021, 2:07:22 PM1/6/21
to Opencast Users, itz.feli...@gmail.com
Ah, the announcement is on https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6
Note that people might not be able to use LE due to CAA records in place by their domain admins and firewalls built in front of their dev machines.
Note that people might not be able to use LE due to CAA records in place by their domain admins and firewalls built in front of their dev machines.
Greg Logan
Jan 6, 2021, 10:00:05 PM1/6/21
to Opencast Users
Hi Felix,
Can you file a PR with this as a note in the https docs? I don't know how common those CAA records are, but having a worked example like this would be helpful in the docs.
Thanks,
G
--
To unsubscribe from this group and stop receiving emails from it, send an email to users+un...@opencast.org.
Reply all
Reply to author
Forward
0 new messages