emulab.pem expired

46 views
Skip to first unread message

Pieter Becue

unread,
Aug 5, 2021, 9:15:06 AM8/5/21
to emulab-admins
Hi all,

We now have an expired emulab.pem certificate. So we failed at "ideally you want to do this before the certificate expires..." :-)

I followed the steps in your previous email (see below), and am now at the point of "initcerts"

[root@boss /usr/testbed/etc]# /usr/testbed/sbin/protogeni/initcerts -r -k
Sending your public certificate to the Clearing House.
Please be patient!
curl: (22) The requested URL returned error: 406
*** initcerts:
    Could not register CA certificate at www.emulab.net

=> so I guess you have to remove the testbed first ? It's the iminds (or imec) Wilab2 testbed. (not vwall1 or vwall2 ! ;-) )

Or maybe I did something else wrong?

Thanks!
Pieter
ps: we didn't update the testbed yet, because we are running a very old version, on an old Freebsd. We plan to upgrade our servers soon and will do a full reinstall at that point.


The instructions we received the previous time when our genicm.pem was expired:

You probably want to update your testbed first. Then follow these instructions. (the location of your source and obj may differ since these instructions are for a genirack.)

These are instructions for regenerating the certificates. You
typically want to do this before the old certs expire. :-)

First off, find an object tree. On a Geni rack, the best place
is ~elabman/emulab-devel/obj.

Typically, you want to reuse the old keys so that existing certs are still
valid. But if you have let the CA expire, well then it does not matter, all
existing certs are invalid. But anyway:

    boss> sudo testbed-control shutdown
    boss> cd ssl
    boss> sudo gmake recover-keys
    boss> gmake remote-site
    boss> sudo gmake remote-site-boss-install
    boss> sudo scp /usr/testbed/etc/emulab.pem ops:/usr/testbed/etc
    boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/usr/testbed/etc
    boss> sudo scp /usr/testbed/etc/emulab.pem ops:/etc/emulab/
    boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/etc/emulab/client.pem

If you do NOT have a real web certificate (issued by a real authority) on
boss, you need to install a new apache certificate.

    boss> sudo gmake apache-install

You need to update the MFSs so that they have the new certificates.

    boss> sudo localize_mfs /tftpboot/freebsd
    boss> sudo localize_mfs /tftpboot/frisbee

If you have PROTOGENI defined in the defs file, you need to regen those
certificates too. First tell Utah since we have to remove you from the
current bundle before you can send in a new one. Then:

    boss> sudo rm /usr/testbed/etc/.protogeni_federated
    boss> sudo rm /usr/testbed/etc/.federated
    boss> sudo /usr/testbed/sbin/protogeni/initcerts -r -k

Now you can restart apache and the testbed:

    boss> sudo /usr/local/etc/rc.d/apache22 stop
    boss> sudo /usr/local/etc/rc.d/apache22 start
    boss> sudo testbed-control boot
    boss> sudo reregister
    boss> register_resources -f -r

And then tell Utah that your part is done, so we can add the new cert back
into bundle. Once we respond:

    boss> sudo /usr/testbed/sbin/protogeni/getcacerts

And you should be good to go!

Leigh Stoller

unread,
Aug 5, 2021, 9:23:54 AM8/5/21
to emulab...@googlegroups.com
at 6:15 AM, Pieter Becue <pbe...@intec.ugent.be> wrote:

> We now have an expired emulab.pem certificate. So we failed at "ideally you want to do this before the certificate expires..." :-)

Hi, I have removed your old certs … try again please.

Leigh
ps: We have an emulab-admins slack channel if you do Slack.

Pieter Becue

unread,
Aug 5, 2021, 9:53:08 AM8/5/21
to emulab-admins
Thanks for the fast reply, it worked!

However, probably due to an old emulab version, we don't have these commands on our BOSS

    boss> sudo reregister
    boss> register_resources -f -r

Any chance we can work around that ? 

Thanks,
Pieter

Leigh Stoller

unread,
Aug 5, 2021, 1:22:59 PM8/5/21
to emulab...@googlegroups.com
at 6:53 AM, Pieter Becue <pbe...@intec.ugent.be> wrote:

> Thanks for the fast reply, it worked!
>
> However, probably due to an old emulab version, we don't have these commands on our BOSS

These commands are in /usr/testbed/sbin/protogeni, which is unlikely
to be on root’s path.

Leigh

Pieter Becue

unread,
Aug 6, 2021, 1:41:45 AM8/6/21
to emulab-admins
Sorry, rookie mistake :-)
Thanks, I found the commands, unfortunately something else is failing now...

$ sudo /usr/testbed/sbin/protogeni/reregister

xml response: 500 Can't connect to www.emulab.net:12369
Content-Type: text/plain
Client-Date: Fri, 06 Aug 2021 05:37:14 GMT
Client-Warning: Internal response

Can't connect to www.emulab.net:12369

LWP::Protocol::https::Socket: SSL connect attempt failed because of handshake problems error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate at /usr/local/lib/perl5/site_perl/5.12.4/LWP/Protocol/http.pm line 51.

GeniRegistry::ClearingHouse->GetCredential: code:10 (RPC Error), value:500, output:Can't connect to www.emulab.net:12369
*** reregister:
    Could not create clearinghouse credential
Reply all
Reply to author
Forward
0 new messages