updating from http to https

[rstanonik]

As a first pass I installed with almost no changes to the configs.

Now I'd like to enable https.

I see where to copy the ssl key and full cert and how to change the eaasi.yaml.

Will "./scripts/update.sh ui" push those to the target machine?

Also, will the docker image on the target machine restart if the machine is rebooted?

The "restart policy" seems empty.

Thanks,

Ron

[Oleg SW-Dev]

Hi Ron,

to enable SSL simply edit eaasi.yaml accordingly and run deploy.sh again. Running 'update.sh ui' will do the same, but additionally download and install pre-built UI package again.

The EaaS docker-container is managed by systemd, specifically the eaas.service unit. So after a reboot everything should be up and usable again.

Best,

Oleg

--
You received this message because you are subscribed to the Google Groups "EaaSI Tech Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eaasi-tech-ta...@googlegroups.com.
To post to this group, send email to eaasi-t...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/eaasi-tech-talk/52f32367-ef59-4679-af66-33d79adfd72e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jkiritharan]

Hello,

I tried a first pass at this at a server that is hosted on our library network.

Changed the eaasi.yaml file to be as so:

  port: 443
  ssl:
   enabled: true
   certificate: "./artifacts/ssl/jonkiriansible_library_cmu_edu_cert.cer"
   private_key: "./artifacts/ssl/jonkiriansible.library.cmu.edu.key"

with the appropriate files in the artifacts/ssl/ folder.

The deployment seemed to go okay but when I navigated to the server at jonkiriansible.library.cmu.edu I see this error message

{
  "data": {
    "status": "2",
    "message": "Internal error: (build 449df048ca2ce5a737bc2ed242a6e803419c0aa6): Connecting to 'https://jonkiriansible.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl' failed!"
  },
  "status": 500,
  "config": {
    "method": "GET",
    "transformRequest": [
      null
    ],
    "transformResponse": [
      null
    ],
    "url": "https://jonkiriansible.library.cmu.edu:443/emil/EmilSoftwareData/getSoftwarePackageDescriptions",
    "headers": {
      "Accept": "application/json, text/plain, */*"
    },
    "cached": false
  },
  "statusText": ""
}

And in the log is a lot of this:

Health checking for 'https://jonkiriansible.library.cmu.edu:443/emucomp/health' failed!
: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

and

Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://jonkiriansible.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So I'm thinking the type of SSL we created is not being accepted? Did I put in the path incorrectly?

I used X509 Base64 encoded.

This is a partial screenshot of other available certificates I can get from our computing services here:

Or perhaps it is because I am trying to put up another server at CMU while we already have one @ http://eaasi-prod.library.cmu.edu -- I did this just to play around and see if I could get it running.

If it's the latter, when we reset our instance again I can put the certificates on the prod server we currently are running.

Let me know if you need more information or if anything was unclear.

Thanks,

Jonathan

On Wednesday, April 3, 2019 at 6:46:19 PM UTC-4, Oleg wrote:

Hi Ron,

to enable SSL simply edit eaasi.yaml accordingly and run deploy.sh again. Running 'update.sh ui' will do the same, but additionally download and install pre-built UI package again.

The EaaS docker-container is managed by systemd, specifically the eaas.service unit. So after a reboot everything should be up and usable again.

Best,

Oleg

rstanonik <rsta...@ucsd.edu> schrieb am Do., 4. Apr. 2019, 00:20:

As a first pass I installed with almost no changes to the configs.

Now I'd like to enable https.

I see where to copy the ssl key and full cert and how to change the eaasi.yaml.

Will "./scripts/update.sh ui" push those to the target machine?

Also, will the docker image on the target machine restart if the machine is rebooted?

The "restart policy" seems empty.

Thanks,

Ron

--
You received this message because you are subscribed to the Google Groups "EaaSI Tech Talk" group.

To unsubscribe from this group and stop receiving emails from it, send an email to eaasi-t...@googlegroups.com.

[Oleg]

Hi Jonathan,

the problem seems to be with your certificate not trusted by our Java
application server running inside the Docker container. Please keep in
mind, that we don't support self-signed certificates. It is also
required, that you use a full-chain certificate to make SSL working
correctly.

Best,
Oleg

[jkiritharan]

We use full-chain certificates.

They are signed by https://ssl.comodo.com/

More info about the certs are here 

https://www.cmu.edu/iso/service/cert-auth/index.html

I have disabled the other eaasi instance. However, I still get this error when I navigate to the page with the signed certificate and key.

{
  "data": {
    "status": "2",
    "message": "Internal error: (build 449df048ca2ce5a737bc2ed242a6e803419c0aa6): Connecting to 'https://eaasi-prod.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl' failed!"

  },
  "status": 500,
  "config": {
    "method": "GET",
    "transformRequest": [
      null
    ],
    "transformResponse": [
      null
    ],

    "url": "https://eaasi-prod.library.cmu.edu:443/emil/EmilSoftwareData/getSoftwarePackageDescriptions",

    "headers": {
      "Accept": "application/json, text/plain, */*"
    },
    "cached": false
  },
  "statusText": ""
}

I have tried 

X509 Certificate only, Base64 encoded

X509, Base64 encoded

X509 Intermediates/root only, Base64 encoded

X509 Intermediates/root only Reverse, Base64 encoded

and

PKCS#7 Base64 encoded

I can get the furthest with X509 Certificate only, Base64 encoded

When checking the logs (I have saved the whole log file) I see Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The files appear and are correct within the "{{ host_eaas_home }}/certificates/{{ item.name }}" directory

-rw-rw-r--  1 kiritharan kiritharan 2540 May 30 12:51 server.crt

-rw-rw-r--  1 kiritharan kiritharan 1675 May 30 12:51 server.key

Should there be different permissions for them?

Can you please provide more information as to what are the requirements that must be met by the Java program to accept the certificate? It is possible that we can get a certificate from a third party vendor. 

The best wishes,

Jonathan

[jkiritharan]

Disregard this. I got it working. 

I was able to get it to load further by researching this guide

https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

going in to the docker container on the server 

and then updating the cacerts file (/etc/ssl/certs/java/cacerts) with our cmu certificate

https://plone.lucidsolutions.co.nz/linux/java/how-to-add-a-certificate-authority-ca-certificate-to-the-openjdk-cacerts commands used here

 keytool -importcert -alias local-CA -keystore /etc/ssl/certs/java/cacerts -file /root/public.crt

Perhaps we are an outlier here because our certificates are specific to CMU and the other certificates listed in cacerts should work. Is there any current method in place or planned in the future that would automatically add the provided certificate to the cacerts file? I am not sure of the security risks of this at the moment.

God bless,

Jonathan