Mathieu: i was restarting the image with the GCE console restart instance button. I was seeing it overwriting the cert files on restart that way, but i will see if i can reproduce that and get back to you.
Brad: if i look at the cert details in chrome on my mac, i see 1 intermediate authority between my cert and the root. None of the views i can see in Keychain access or in chrome (which i believe is using the same data) show any sha-256 signatures, just sha-1 and md5. I can't see the values that camtool shows me for any of those. [image: Screen Shot 2016-05-22 at 12.55.44 PM.png] I am also surprised that I need to do anything with trusted certs - that is why i made the letsencrypt cert, after all. :/ -jason On Sun, May 22, 2016 at 12:24 PM Mathieu Lonjaret < [email protected]> wrote: > On 22 May 2016 at 17:30, Brad Fitzpatrick <[email protected]> wrote: > > Did you include the intermediate certs? > > > > You shouldn't need to configure the "trustedCerts" at all. > > > > > > On Sun, May 22, 2016 at 7:56 AM, jason gessner <[email protected]> > wrote: > >> > >> hello! > >> > >> I am playing around with the excellent camlistore.org/launch image. I > >> have things up and running and managed to get a letsencrypt cert for > it. I > >> put that in the /config/ bucket and restarted camlistore and things look > >> good in chrome. > >> > >> If i try to add my server to a local camlistore build's > client-config.json > >> and then connect, though, I get: > >> > >> ./bin/camtool -verbose search "loc:paris" > >> Error: Get https://camlistore-test.multiply.org: x509: certificate > signed > >> by unknown authority > >> > >> If i grab the first 10 digits of the sha256 sig from the cert from > >> chrome's dev tools (or from the output of openssl x509 -in ~/gce/tls.crt > >> -text -noout, after "Signature Algorithm: sha256WithRSAEncryption") i > am not > >> able to use that in trustedCerts. > >> > >> I was able to use the signature value that the camtool error gave me in > >> trustedCerts and that made things work, but i'm confused. I can't find > the > >> signature value camtool claims it gets anywhere, but my openssl tool > >> knowledge isn't great. > >> > >> - Is a let's encrypt cert not trusted from the go/camlistore perspective > >> somehow? > >> - What is the right way to get the proper value from a cert for the > >> trustedCerts field? > >> > >> One more thing: > >> - why does restarting the camlistore server via the /status/ url > properly > >> pick up the cert, but restarting the VM overwrites the cert? > > If it actually does the latter, I think it's a bug. How are you > restarting the VM? And are you saying that the cert stored in the > corresponding Cloud bucket gets overwritten? > > >> You received this message because you are subscribed to the Google > Groups > >> "Camlistore" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Camlistore" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Camlistore" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
