--
You received this message because you are subscribed to the Google Groups "elife-continuum-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elife-continuum-list+unsub...@googlegroups.com.
To post to this group, send email to elife-continuum-list@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elife-continuum-list/6efca2ad-3b06-4e31-975b-cb51bd7f7dcc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
16:09:13 UTC-0500 | CREATE_FAILED | AWS::CloudFront::Distribution | CloudFrontCDN | The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. |
Hi there, Lee. Thanks for your time and your patience working through this.> I then attempted to run: ./bldr launch:journal,prod
> That may not be exactly the correct syntax.that syntax is fine. in this case 'launch' is the command and then the comma separated values after the colon are arguments to the command. if you leave them off, it will prompt you to pick a project ('journal' in this case) and then an identifier for the instance of the project you're about to create ('prod' in this case).What you were prompted with next were a set of possible alternative configurations from the default. We have these so more (or less) powerful project instances can be created as necessary. All projects and their alternative configurations can be found in the 'project file' that lives in /path/to/builder/projects/elife.yaml : https://github.com/elifesciences/builder/blob/master/projects/elife.yaml#L222The alternative configuration you picked was 'prod', what we use in our production setup: https://github.com/elifesciences/builder/blob/master/projects/elife.yaml#L285It's attempting to configure a cloudfront instance with some (very) elife-specific values that fronts multiple ec2 instances: https://github.com/elifesciences/builder/blob/master/projects/elife.yaml#L288the 'project file' I linked to above works by taking the default values in the first section of that file (called 'defaults' handily enough) and merging the values in the project section over the top. This means we can have sensible defaults the majority of the time and keep project descriptions brief. In this case, the 'elb' section in the alternative configuration 'prod' for the 'journal' project (still with me?) doesn't mention this value: https://github.com/elifesciences/builder/blob/master/projects/elife.yaml#L96eLife uses a certificate provided by an authority that isn't AWS, which AWS supports, but doesn't really encourage: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.htmlevidenced by the fact that there is no GUI within AWS to handle this. I'm quite certain we haven't tried deploying a cloudfront instance with an AWS provided certificate yet.what I would suggest is to destroy that failed instance you just created and when presented with that 'alternate config' prompt again, choose '1 - skip this step'. It will use the default configuration and not attempt to configure cloudfront or an elasticache of ec2 instances.
--
You received this message because you are subscribed to the Google Groups "elife-continuum-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elife-continuum-list+unsub...@googlegroups.com.
To post to this group, send email to elife-continuum-list@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elife-continuum-list/94fe1d34-80ca-4761-af05-be33684aaf02%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "elife-continuum-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elife-continuum-list+unsub...@googlegroups.com.
To post to this group, send email to elife-continuum-list@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elife-continuum-list/db509f93-59c0-4ac5-a56b-bf129613a095%40googlegroups.com.
Thanks Luke and Giorgio for your most helpful responses and feedback! I have skimmed your responses and will digest them further upon posting this reply. In the meantime, I wished to ask a question that I believe I will have even after perusing all of the including links. Namely, it appears as if you are suggesting that:
1. I use continuum.yaml as my baseline, updating with my AWS specific values where appropriate
2. I run ./bldr launch:journal,prod and then select option 1 - skip this step
3. Push my SSL certs to... where exactly? By the way, I am totally familiar with AWS's woeful lack of support for external certs. I had to push some to a client's AWS instance some time back and figure out that, as you indicated, the only way to pull if off is from the AWS CLI. Which leads me to a couple observations/questions/suggestions. But first, let me say that my next actions will be to perform the steps above and then get back with y'all
aws iam upload-server-certificate \ --path '/cloudfront/wildcard.elifesciences.org/' \ --server-certificate-name 'wildcard.elifesciences.org' \ --certificate-body file://your-certificate.crt \ --private-key file://your-private-key.pem \ --certificate-chain file://full-chain.pem
Now, on to my observations/questions/suggestions. First off, have you considered being a bit more cloud neutral? That might enable folks to more easily adapt this process to their cloud platform of choice. For example, create a load balancer VPS directly vs relying on Amazon ELBs. Stay away from services like RDS and Route 53. We actually went through this evolution a couple years back for a very large client. Originally, our deployment formula was very AWS specific. We have gradually moved away from that such that now, it is possible, through a web interface that we have built for this client, to select the Cloud Provisioning Platform, Region, VLAN (our generic term for what AWS refers to as a VPC), and then step through a select configs for each of the instance types - in their case: Load Balancers (we have moved to installing/configuring HAProxy), Web Servers (we are using NGINX presently - originally is was Apache), API Servers (for a proprietary CZMQ API that we helped this client develop), Database Servers (a Galera multi-master cluster). A user is stepped through each of these and at each point can select system size (mem, cpu cores, disk capacity), OS Version (presently Ubuntu 16.04 and CentOS 7), HAProxy version (1.6 or .17), NGINX version... you get the idea. And, at the final step, they are presented with summary screen and a Deploy button at the bottom. When Deploy is hit - our python code gets called with a large payload and starts churning away spinning all required instances. We happen to update a database table with progress info and the UI code just queries that table every so often (30 second intervals, I believe) and updates individual status for each machine as it is spun up, reaches high state, completes post-configuration, etc.. I'd be happy to walk you through a quick demo of that system - it might give you some ideas.
OK. I have an update. I create a wildcard ssl cert, pushed it up to my AWS account (aws iam upload-server-certificate --server-certificate-name elifetest --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem), received a reply with my arn:aws:iam::......... I edited builder/settings.yml to reference continuum.yaml instead of elif.yaml. I then update projects/continuum.yaml to reflect all of the relevant/necessary value to match my specific environment, then ran: ./bldr launch:journal,prod
At this point, I no longer had six choices, but only 2. Either: 1. Skip this stop or 2. Baseline.
I was feeling lucky. I went with two -- and things ALMOST worked! Its tough to know exactly what failed since so much console output flew by that I do not know if I can capture what the issue was. I will include the last couple hundred lines at the end of this post. I did verify that a CloudFormation stack was successfully created along with two EC2 instances: journal--prod--1 and journal--prod--2 - each in different subnets. Nice. An ELB also got created. However, neither web server instance seemed to be listining on ports 80 or 443. So, I ssh'd into the first one, verified that nginx was indeed up and running, and then started looking around in /etc/nginx. The first odd thing I noticed is that /etc/nginx/sites-enabled was completely empty. No symlinks. I then looked in /etc/nginx/sites-available and found a default and an unencrypted-redirect.conf. Hmmm... that second file certainly is of your making, but it essentially looks like it just redirect port 80 traffic to port 443. Still no trace of anything that would be responding to incoming requests and pointing them to whatever your web root is.
I did some looking around and found that the web code seems to all be installed - in /srv/journal. The handy-dandy README.md includes a link to:
https://symfony.com/doc/current/setup/web_server_configuration.html
which describes, among other things, a proper nginx config file. So.... something like that must exist somewhere.... but I cannot seem to find it!
Meanwhile, for what its worth - here is a list of every default value that I changed in builder/projects/continuum.yaml:
defaults:
# domain: thedailybugle.org
#intdomain: thedailybugle.internal
#private-repo: ssh://g...@github.com/elife-anonymous-user/builder-private
#account_id: 531849302986
#vpc-id: vpc-c23159a5
#subnet-id: subnet-6b6c6e41
#subnet-cidr: '172.31.48.0/20'
#redundant-subnet-id: subnet-dffe0c96
#redundant-subnet-cidr: '172.31.0.0/20'
#- subnet-6b6c6e41
#- subnet-dffe0c96
#certificate: arn:aws:iam::531849302986:server-certificate/wildcard.thedailybugle.org
console log output:
[54.145.205.41] out: ----------
[54.145.205.41] out: ID: journal-nginx-redirect-existing-paths
[54.145.205.41] out: Function: file.managed
[54.145.205.41] out: Name: /etc/nginx/traits.d/redirect-existing-paths.conf
[54.145.205.41] out: Result: False
[54.145.205.41] out: Comment: One or more requisite failed: elife.nginx.nginx-config
[54.145.205.41] out: Changes:
[54.145.205.41] out: ----------
[54.145.205.41] out: ID: journal-nginx-robots
[54.145.205.41] out: Function: file.managed
[54.145.205.41] out: Name: /etc/nginx/traits.d/robots.conf
[54.145.205.41] out: Result: False
[54.145.205.41] out: Comment: One or more requisite failed: elife.nginx.nginx-config
[54.145.205.41] out: Changes:
[54.145.205.41] out: ----------
[54.145.205.41] out: ID: journal-nginx-vhost
[54.145.205.41] out: Function: file.managed
[54.145.205.41] out: Name: /etc/nginx/sites-available/journal.conf
[54.145.205.41] out: Result: False
[54.145.205.41] out: Comment: One or more requisite failed: journal.journal-nginx-redirect-existing-paths, journal.journal-nginx-robots, elife.nginx.nginx-config
[54.145.205.41] out: Changes:
[54.145.205.41] out: ----------
Quick clarification. I had modified each of the values in continuum.yaml to match our specific configuration, including the web domain.
yet I was told to launch something called journal, which doesn't seem to be in this list.
So, here's what I'd REALLY like to know. Could someone perhaps tell me precisely which build steps I need to take in what order to construct a 'complete' publishing environment? I am quite happy to proceed... it just seems like I am missing parts. For example, what error messages I do seem to be able to generate with the web code that gets deployed in a 'journal' build seem to indicate that it expects some sort of 'api' to be present -- yet I was not instructed to build an API server. Also, should there be a database somewhere? It seems when I originally attempted to build an elife web server, a database node was indeed deployed. I do not see the same thing with my journal build...
WIP Deploying a(n) api-gateway instance
WIP Deploying a lax instance
WIP Deploying a(n) elife-bot instance
WIP Deploying a(n) elife-dashboard instance
are not yet available. Also, I do not see a line item for elife-article-scheduler. Will that be part of the elife-dashboard howto?
Given that my client wishes to have the components listed above installed and configured, what is your recommendation for the 'how to' recipe to achieve this today?