updating from http to https

15 views
Skip to first unread message

rstanonik

unread,
Apr 3, 2019, 6:20:34 PM4/3/19
to EaaSI Tech Talk
As a first pass I installed with almost no changes to the configs.

Now I'd like to enable https.

I see where to copy the ssl key and full cert and how to change the eaasi.yaml.

Will "./scripts/update.sh ui" push those to the target machine?

Also, will the docker image on the target machine restart if the machine is rebooted?
The "restart policy" seems empty.

Thanks,

Ron

Oleg SW-Dev

unread,
Apr 3, 2019, 6:46:19 PM4/3/19
to rstanonik, EaaSI Tech Talk
Hi Ron,

to enable SSL simply edit eaasi.yaml accordingly and run deploy.sh again. Running 'update.sh ui' will do the same, but additionally download and install pre-built UI package again.

The EaaS docker-container is managed by systemd, specifically the eaas.service unit. So after a reboot everything should be up and usable again.

Best,
Oleg


--
You received this message because you are subscribed to the Google Groups "EaaSI Tech Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eaasi-tech-ta...@googlegroups.com.
To post to this group, send email to eaasi-t...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/eaasi-tech-talk/52f32367-ef59-4679-af66-33d79adfd72e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

jkiritharan

unread,
May 21, 2019, 2:40:36 PM5/21/19
to EaaSI Tech Talk
Hello,

I tried a first pass at this at a server that is hosted on our library network.
Changed the eaasi.yaml file to be as so:
  port: 443
  ssl
:
   enabled
: true
   certificate
: "./artifacts/ssl/jonkiriansible_library_cmu_edu_cert.cer"
   private_key
: "./artifacts/ssl/jonkiriansible.library.cmu.edu.key"

with the appropriate files in the artifacts/ssl/ folder.

The deployment seemed to go okay but when I navigated to the server at jonkiriansible.library.cmu.edu I see this error message
{
 
"data": {
   
"status": "2",
   
"message": "Internal error: (build 449df048ca2ce5a737bc2ed242a6e803419c0aa6): Connecting to 'https://jonkiriansible.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl' failed!"
 
},
 
"status": 500,
 
"config": {
   
"method": "GET",
   
"transformRequest": [
     
null
   
],
   
"transformResponse": [
     
null
   
],
   
"url": "https://jonkiriansible.library.cmu.edu:443/emil/EmilSoftwareData/getSoftwarePackageDescriptions",
   
"headers": {
     
"Accept": "application/json, text/plain, */*"
   
},
   
"cached": false
 
},
 
"statusText": ""
}

And in the log is a lot of this:
Health checking for 'https://jonkiriansible.library.cmu.edu:443/emucomp/health' failed!
: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://jonkiriansible.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


So I'm thinking the type of SSL we created is not being accepted? Did I put in the path incorrectly?
I used X509 Base64 encoded.
This is a partial screenshot of other available certificates I can get from our computing services here:

Screenshot from 2019-05-21 14-34-33.png


Or perhaps it is because I am trying to put up another server at CMU while we already have one @ http://eaasi-prod.library.cmu.edu -- I did this just to play around and see if I could get it running.
If it's the latter, when we reset our instance again I can put the certificates on the prod server we currently are running.

Let me know if you need more information or if anything was unclear.

Thanks,

Jonathan




On Wednesday, April 3, 2019 at 6:46:19 PM UTC-4, Oleg wrote:
Hi Ron,

to enable SSL simply edit eaasi.yaml accordingly and run deploy.sh again. Running 'update.sh ui' will do the same, but additionally download and install pre-built UI package again.

The EaaS docker-container is managed by systemd, specifically the eaas.service unit. So after a reboot everything should be up and usable again.

Best,
Oleg


rstanonik <rsta...@ucsd.edu> schrieb am Do., 4. Apr. 2019, 00:20:
As a first pass I installed with almost no changes to the configs.

Now I'd like to enable https.

I see where to copy the ssl key and full cert and how to change the eaasi.yaml.

Will "./scripts/update.sh ui" push those to the target machine?

Also, will the docker image on the target machine restart if the machine is rebooted?
The "restart policy" seems empty.

Thanks,

Ron

--
You received this message because you are subscribed to the Google Groups "EaaSI Tech Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eaasi-t...@googlegroups.com.

Oleg

unread,
May 23, 2019, 11:51:24 AM5/23/19
to jkiritharan, EaaSI Tech Talk
Hi Jonathan,

the problem seems to be with your certificate not trusted by our Java
application server running inside the Docker container. Please keep in
mind, that we don't support self-signed certificates. It is also
required, that you use a full-chain certificate to make SSL working
correctly.

Best,
Oleg

jkiritharan

unread,
May 30, 2019, 1:03:55 PM5/30/19
to EaaSI Tech Talk
We use full-chain certificates.
They are signed by https://ssl.comodo.com/
More info about the certs are here 

I have disabled the other eaasi instance. However, I still get this error when I navigate to the page with the signed certificate and key.

{
 
"data": {
   
"status": "2",
   
"message": "Internal error: (build 449df048ca2ce5a737bc2ed242a6e803419c0aa6): Connecting to 'https://eaasi-prod.library.cmu.edu:443/softwarearchive/SoftwareArchiveWS?wsdl' failed!"

 
},
 
"status": 500,
 
"config": {
   
"method": "GET",
   
"transformRequest": [
     
null
   
],
   
"transformResponse": [
     
null
   
],

   
"headers": {
     
"Accept": "application/json, text/plain, */*"
   
},
   
"cached": false
 
},
 
"statusText": ""
}

I have tried 
X509 Certificate only, Base64 encoded
X509, Base64 encoded
X509 Intermediates/root only, Base64 encoded
X509 Intermediates/root only Reverse, Base64 encoded
and
PKCS#7 Base64 encoded

I can get the furthest with X509 Certificate only, Base64 encoded
When checking the logs (I have saved the whole log file) I see Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The files appear and are correct within the "{{ host_eaas_home }}/certificates/{{ item.name }}" directory
-rw-rw-r--  1 kiritharan kiritharan 2540 May 30 12:51 server.crt
-rw-rw-r--  1 kiritharan kiritharan 1675 May 30 12:51 server.key
Should there be different permissions for them?

Can you please provide more information as to what are the requirements that must be met by the Java program to accept the certificate? It is possible that we can get a certificate from a third party vendor. 

The best wishes,

Jonathan

jkiritharan

unread,
May 30, 2019, 1:51:42 PM5/30/19
to EaaSI Tech Talk
Disregard this. I got it working. 

I was able to get it to load further by researching this guide
going in to the docker container on the server 
and then updating the cacerts file (/etc/ssl/certs/java/cacerts) with our cmu certificate
 keytool -importcert -alias local-CA -keystore /etc/ssl/certs/java/cacerts -file /root/public.crt

Perhaps we are an outlier here because our certificates are specific to CMU and the other certificates listed in cacerts should work. Is there any current method in place or planned in the future that would automatically add the provided certificate to the cacerts file? I am not sure of the security risks of this at the moment.


God bless,

Jonathan
Reply all
Reply to author
Forward
0 new messages